Image

Knowledge base → Setting up DDOS Deflate to protect against SYN attacks

[Virtual servers]
Date of publication: 27.01.2023

Quite popular and the most common is the SYN Flood attack, sending a large number of requests to a web server. This type of attack creates a large number of connections to the web server, which leads to a denial of service if the bots’ IP addresses are not blocked in time. Installation and configuration is carried out on the CentOS 7 operating system. The original program is located at https://github.com/jgmdev/ddos-deflate.

1. We need to download and install ddos deflate

wget https://github.com/jgmdev/ddos-deflate/archive/master.zip -O ddos.zip
unzip ddos.zip
cd ddos-deflate-master
./install.sh

2. Setup

/etc/ddos/ignore.host.list
/etc/ddos/ignore.ip.list
/etc/ddos/ddos.conf

In the file ignore.ip.list you must enter the IP addresses that are assigned to the server. Next in the configuration file we change the settings to our own:

/etc/ddos/ddos.conf

NO_OF_CONNECTIONS=390
ONLY_INCOMING=false
ENABLE_PORTS=false
EMAIL_TO="user@domain.tld"
BAN_PERIOD=5400

Please note the value NO_OF_CONNECTIONS=390 should be less than what you set in the firewall restrictions. Enter your email and start the service.

service ddos start

Check that the service is running with the command

ps aux | grep ddos

We also recommend adding it to cron in case the service ends.

*/5 * * * * nice -n -5 /usr/local/ddos/ddos.sh -d >> /dev/null 2>&1

In case of freezing, we recommend adding it to the load monitoring script as a command

service ddos restart

3. Using the CLI

ddos [OPTIONS] [N]

OPTIONS

-h | --help:

Shows the help window.

-c | --cron:

Add the script to cron (by default every 1 minute).

-i | --ignore-list:

IP whitelist

-b | --bans-list:

Show currently blocked addresses.

-u | --unban:

Unblock a specific IP address.

-d | --start:

Run as a service in the background.

-s | --stop:

Stop the service.

-t | --status:

Show the status of the service and its pid if running.

-v[4|6] | --view [4|6]:

Show active connections.

-y[4|6] | --view-port [4|6]:

Show active connections including port.

-k | --kill:

Block all IP addresses that have more than N connections.





No Comments Yet