1. 使用ab工具模拟ddos攻击
说明:ab是做压力测试的工具
安装ab: yum install -y httpd-tools
格式:ab -n 连接总数 -c 并发客户端数 网站
2. ddos攻击检测方法:
方法一:用脚本检查是否有ddos攻击方法
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
方法二:IDC机房,管理员监控通知
方法三:云主机自动监控告警,不处理即封掉
3. 使用DDos dflate,防止ddos攻击
1)下载安装脚本:wget htttp://www.inetbase.com/scripts/ddos/install.sh
脚本内容:
#!/bin/sh
if [ -d '/usr/local/ddos' ]; then
echo; echo; echo "Please un-install the previous version first"
exit 0
else
mkdir /usr/local/ddos
fi
clear
echo; echo 'Installing DOS-Deflate 0.6'; echo
echo; echo -n 'Downloading source files...'
wget -q -O /usr/local/ddos/ddos.conf http://www.inetbase.com/scripts/ddos/ddos.conf
echo -n '.'
wget -q -O /usr/local/ddos/LICENSE http://www.inetbase.com/scripts/ddos/LICENSE
echo -n '.'
wget -q -O /usr/local/ddos/ignore.ip.list http://www.inetbase.com/scripts/ddos/ignore.ip.list
echo -n '.'
wget -q -O /usr/local/ddos/ddos.sh http://www.inetbase.com/scripts/ddos/ddos.sh
chmod 0755 /usr/local/ddos/ddos.sh
cp -s /usr/local/ddos/ddos.sh /usr/local/sbin/ddos
echo '...done'
echo; echo -n 'Creating cron to run script every minute.....(Default setting)'
/usr/local/ddos/ddos.sh --cron > /dev/null 2>&1
echo '.....done'
echo; echo 'Installation has completed.'
echo 'Config file is at /usr/local/ddos/ddos.conf'
echo 'Please send in your comments and/or suggestions to zaf@vsnl.com'
echo
cat /usr/local/ddos/LICENSE | less
2)授权执行权限: chmod 700 install.sh
3)执行安装: ./install.sh
说明:下载安装内容可以看install.sh文件
4. 查看目录文件
配置文件;shell脚本文件; 忽略IP(白名单)文件;lisense文件
注意:在配置文件中,还可以看到有一个计划任务文件:/etc/cron.d/ddos.cron
说明:每秒钟执行一次,并不输出任何信息,在crontab -l 也看不到!
5. 修改配置文件
vim /usr/local/ddos/ddos.conf
配置文件内容:
##### Paths of the script and other files
PROGDIR="/usr/local/ddos"
PROG="/usr/local/ddos/ddos.sh"
IGNORE_IP_LIST="/usr/local/ddos/ignore.ip.list"
CRON="/etc/cron.d/ddos.cron"
APF="/etc/apf/apf"
IPT="/sbin/iptables"
##### frequency in minutes for running the script
##### Caution: Every time this setting is changed, run the script with --cron
##### option so that the new frequency takes effect
FREQ=1
##### How many connections define a bad IP? Indicate that below.
NO_OF_CONNECTIONS=150
##### APF_BAN=1 (Make sure your APF version is atleast 0.96)
##### APF_BAN=0 (Uses iptables for banning ips instead of APF)
APF_BAN=0
##### KILL=0 (Bad IPs are'nt banned, good for interactive execution of script)
##### KILL=1 (Recommended setting)
KILL=1
##### An email is sent to the following address when an IP is banned.
##### Blank would suppress sending of mails
EMAIL_TO="root"
##### Number of seconds the banned ip should remain in blacklist.
BAN_PERIOD=600
找到:APF_BAN=1
改为:APF_BAN=0
注:
FREQ=1 #设置检测时间间隔,默认是分钟,由于系统使用crontab功能,最小单位是分钟
NO_OF_CONNECTIONS=150 #最大连接数,超过会被屏蔽,默认即可
APF_BAN #默认是1表示使用APF,0表示使用iptables
EMAIL_TO="" #收件邮箱
BAN_PERIOD=600 #代表限制该IP 600秒
6. 实战测试
说明:计划任务脚本,每分钟执行1次,默认如果在1分钟内,一个ip对服务器访问150次以上,则认为是ddos攻击,使用iptables把这个IP自动屏蔽掉(需等待一分钟看直接结果)
注:为了防止自己的IP测试时被禁用,设置一个清楚iptables的计划任务
环境:
本机公网IP:218.18.XXX.244
公网服务器网站:http://60.205.XXX.190/forum.php
测试:
ab -n 1000 -c 10 http://60.205.XXX.190/forum.php
结果:
本机公网被屏蔽,ssh断链 ,10分钟iptables规则被清掉
7. 卸载ddos deflate
1) 下载卸载文件:wget http://www.inetbase.com/scripts/ddos/uninstall.ddos
2) 授予执行权限:chmod 700 uninstall.ddos
3) 执行卸载:./uninstall.ddos
uninstall.ddos内容:
#!/bin/sh
echo; echo "Uninstalling DOS-Deflate"
echo; echo; echo -n "Deleting script files....."
if [ -e '/usr/local/sbin/ddos' ]; then
rm -f /usr/local/sbin/ddos
echo -n ".."
fi
if [ -d '/usr/local/ddos' ]; then
rm -rf /usr/local/ddos
echo -n ".."
fi
echo "done"
echo; echo -n "Deleting cron job....."
if [ -e '/etc/cron.d/ddos.cron' ]; then
rm -f /etc/cron.d/ddos.cron
echo -n ".."
fi
echo "done"
echo; echo "Uninstall Complete"; echo
