Tips: 本文创建于2016年4月29日,已超过 2 年,内容或图片可能已经失效!


github fork

#IP 连接数  
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n  
-> c1 ~/git/ddos-deflate git:(master) ☺ ls  
ChangeLog  config  LICENSE  Makefile  man  src  
-> c1 ~/git/ddos-deflate git:(master) ☺ ./   
-> c1 ~/git/ddos-deflate git:(master) ☺ vim /etc/ddos/ddos.conf  
# Paths of the script and other files  
IGNORE_IP_LIST="ignore.ip.list"     #IP地址白名单  
CRON="/etc/cron.d/ddos"      #定时执行程序    
# Make sure your APF version is atleast 0.96  
# frequency in minutes for running the script as a cron job  
# Caution: Every time this setting is changed, run the script with --cron  
#          option so that the new frequency takes effect  
FREQ=1  #检查时间间隔,默认1分钟  
# frequency in seconds when running as a daemon  
# How many connections define a bad IP? Indicate that below.  
NO_OF_CONNECTIONS=150   #最大连接数量,超过这个数IP就会屏蔽,一般默认  
# The firewall to use for blocking/unblocking, valid values are:  
# auto, apf, csf and iptables  
# An email is sent to the following address when an IP is banned.  
# Blank would suppress sending of mails  
# Number of seconds the banned ip should remain in blacklist.  
# Connection states to block. See: man netstat  
# github上的解释很全  
The installer will automatically detect if your system supports init.d scripts, systemd services or cron jobs. If one of them is found it will install apropiate files and start the ddos script. In the case of init.d and systemd the ddos script is started as a daemon, which monitoring interval is set at 5 seconds by default. The daemon is much faster detecting attacks than the cron job since cron's are capped at 1 minute intervals.  
Once you hava (D)Dos deflate installed proceed to modify the config files to fit your needs.  
On this file you can add a list of host names to be whitelisted, for example:  
On this file you can add a list of ip addresses to be whitelisted, for example:  
The behaviour of the ddos script is modified by this configuration file. For more details see man ddos which has documentation of the different configuration options.  
After you modify the config files you will need to restart the daemon. If running on systemd:  
systemctl restart ddos  
If running as classical init.d script:  
/etc/init.d/ddos restart   
service ddos restart  
When running the script as a cronjob no restarting is required.  

CLI Usage

ddos [OPTIONS] [N]

N : number of tcp/udp connections (default 150)


  • -h | --help: Show the help screen.
  • -c | --cron: Create cron job to run the script regularly (default 1 mins).
  • -i | --ignore-list: List whitelisted ip addresses.
  • -b | --bans-list: List currently banned ip addresses.
  • -d | --start: Initialize a daemon to monitor connections.
  • -s | --stop: Stop the daemon.
  • -t | --status: Show status of daemon and pid if currently running.
  • -v | --view: Display active connections to the server.
  • -k | --kill: Block all ip addresses making more than N connections.