1.DDOS概述
分佈式拒絕服務(DDoS:Distributed Denial of Service)攻擊指藉助於客戶/服務器技術,將多個計算機聯合起來作爲攻擊平臺,對一個或多個目標發動DDoS攻擊,從而成倍地提高拒絕服務攻擊的威力。
2.編寫查看DDOS攻擊的腳本內容
[root@ localhost ~]# vim ddos-test.sh #寫入以下內容
#!/bin/bash
netstat -ntu | awk '{print $5}' | cut -d: -f4 | sort | uniq -c | sort -n
[root@ localhost ~]# chmod +x ddos-test.sh
註釋:
#!/bin/bash
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
截取外網IP和端口 截取外網的IP以:爲分隔符 |排序 | 排除相同的記錄 | 排序並統計
注:這個腳本在不同的機器上執行時,因爲 print $5 取得的結果不一樣,所以需要根據實際情況,改變cut -d: -f1 中fn的值。 如果-f1 不行,就使用f4
cut -d: -f1 #以冒號爲分隔符,取第一列的值。
3.模擬DDOS攻擊
安裝Apache
[root@ localhost ~]# yum -y install httpd
[root@ localhost ~]# systemctl start httpd
[root@ localhost ~]# ab -n 100 -c 10 http://192.168.1.63/index.html #開始攻擊
[root@ localhost ~]# ./ddos-test.sh #查看已經建立的網絡連接數
4.檢測是否有DDOS攻擊
執行:
[root@ localhost ~]# netstat -ntu | awk '{print $5}' | cut -d: -f4 | sort | uniq -c | sort -n
5.如果發現某個IP連接數據上百的鏈接,說明就有DDOS攻擊。安裝DDoS deflate
[root@ localhost ~]# wget http://www.inetbase.com/scripts/ddos/install.sh
下載DDoS deflate,保證可以上網
[root@ localhost ~]# chmod 700 install.sh #添加權限
[root@ localhost ~]# ./install.sh #執行
Installing DOS-Deflate 0.6
Downloading source files.........done
Creating cron to run script every minute.....(Default setting).....done
Installation has completed.
Config file is at /usr/local/ddos/ddos.conf
Please send in your comments and/or suggestions to [email protected]
6.修改配置文件
[root@ localhost ~]# vim /usr/local/ddos/ddos.conf
##### Paths of the script and other files
PROGDIR="/usr/local/ddos"
PROG="/usr/local/ddos/ddos.sh"
IGNORE_IP_LIST="/usr/local/ddos/ignore.ip.list"
CRON="/etc/cron.d/ddos.cron"
APF="/etc/apf/apf"
IPT="/sbin/iptables"
##### frequency in minutes for running the script
##### Caution: Every time this setting is changed, run the script with --cron
##### option so that the new frequency takes effect
FREQ=1
##### How many connections define a bad IP? Indicate that below.
NO_OF_CONNECTIONS=150
##### APF_BAN=1 (Make sure your APF version is atleast 0.96)
##### APF_BAN=0 (Uses iptables for banning ips instead of APF)
APF_BAN=1
改: APF_BAN=1
爲: APF_BAN=0
##### KILL=0 (Bad IPs are'nt banned, good for interactive execution of script)
##### KILL=1 (Recommended setting)
KILL=1
##### An email is sent to the following address when an IP is banned.
##### Blank would suppress sending of mails
EMAIL_TO=[[email protected]](mailto:[email protected]) #當IP被屏蔽時給指定郵箱發送郵件報警,換成自己的郵箱即可
##### Number of seconds the banned ip should remain in blacklist.
BAN_PERIOD=600 #禁用IP時間,默認600秒,可根據情況調整
用戶可根據給默認配置文件加上的註釋提示內容,修改配置文件。\****
注:安裝後,不需要手動運行任何軟件,因爲有crontab計劃任務,每過一分鐘,會行自動執行一次。檢查是否有不正常的訪問量
7.在另一臺centos7上模擬安裝apache,並啓動DDOS
[root@ localhost ~]# yum -y install httpd
[root@ localhost ~]# systemctl start httpd
[root@ localhost ~]# ab -n 1000 -c 10 http://10.0.0.73/index.html
8.等待一分鐘後,在另一臺虛擬機查看結果,多了一條規則成功
返回ddos主機執行
[root@ localhost ~]# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all -- 10.0.0.74 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
You have mail in /var/spool/mail/root