DDoS??????

DDoS????

DDoS?????????????"?????????"????????"??"????????????????????????????????????????????????????????????DDoS??????????????????????????????

DDoS????

CC???

????????IP?????????

???????netstat -na???ESTABLISHED?????

SYN???

?????SYN_RECEIVED???

???????netstat -na???SYN_RECEIVED?????

UDP???

???????????????

????????????

TCP????

?????ESTABLISHED???

???????netstat -na???ESTABLISHED?????

???DDoS?????

???CPU??????

????????

?????????????????

??ping??IP?

DDoS????

1. ??sysctl??

TCP???

sysctl -w net.ipv4.tcp_max_syn_backlog=8000sysctl -w net.ipv4.tcp_synack_retries=3sysctl -w net.ipv4.tcp_syn_cookies=1

ICMP???

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

2. ??iptables??DDoS?CC??

SYN?????

iptables -N syn-floodiptables -A INPUT -p tcp --syn -j syn-floodiptables -I syn-flood -p tcp -m limit --limit 12/s --limit-burst 24 -j RETURNiptables -A syn-flood -j REJECT

TCP?????

iptables -A INPUT -p tcp --syn -m limit --limit 1/s -j ACCEPT

CC?????

iptables -I INPUT -p tcp --dport 80 -m connlimit --connlimit-above 25 -j REJECTiptables -A INPUT -p tcp --dport 80 -m recent --name BAD_HTTP_ACCESS --update --seconds 60 --hitcount 30 -j REJECTiptables -A INPUT -p tcp --dport 80 -m recent --name BAD_HTTP_ACCESS --set -j ACCEPT

3. ??DDoS deflate??

DDoS deflate??????????????????IP????????

wget http://www.inetbase.com/scripts/ddos/install.shchmod 0700 install.sh./install.sh

?????????????????????????IP?

4. ??????safedog???

??????????DDoS??????????

setenforce 0wget http://safedog.cn/safedogwz_linux_Nginx64.tar.gztar -zvxf safedogwz_linux_Nginx64.tar.gz./install.py -A

NTP????????

?????

??NTP???ntpd 4.2.7p26??????2.??monlist?????

ntpdc -c rvntpdc -c sysinfontpdc -n -c monlist

??ntpd.conf??????????

restrict default kod nomodify notrap nopeer noquery

??Shell????

??????????DDoS??IP?

#!/bin/bash# ddos_check.sh??INFO_FILE=/tmp/ddos_check.log# ?????netstat -lant | awk -F "[ :]+" '/:80/{clsn[$6]++}END{for(pol in clsn) print pol,clsn[pol]}' > $INFO_FILE# ????IPawk '{ hotel[$1]++ } END { for(pol in hotel) print pol,hotel[pol] }' access.log | sort -nk2 -r > $INFO_FILEwhile read line do  IP=${line%[[:space:]}  echo "$IP kill at $(date)"  iptables -I INPUT -s $IP -j DROPdone < $INFO_FILE

Nginx?DDoS????

?nginx.conf????????

http {    limit_req_zone $binary_remote_addr zone=blog:10m rate=10r/s;    limit_conn_zone $binary_remote_addr zone=addr:10m;    location / {        limit_conn addr 7;        limit_req zone=blog burst=7 nodelay;    }}

???????????????DDoS???