Portal Home > Knowledgebase > Security > DDOS Attacks: Supressing & Blocking
1. See what's going on
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
2. Install DDOS Deflate
Our good frends over at medialayer wrote a script called DDOS Deflate which monitors the output generated by the above netstat command. It will temporarilly block IP addresses with 'too many' accesses, as defined in your configuration file.
wget http://www.inetbase.com/scripts/ddos/install.sh
chmod 0700 install.sh
./install.sh
3. Configure DDOS Deflate to use IPtables, not APF
In our case, we don't use the script's APF Firewall option, since IPtables comes standard with our operating system of choice, CentOS 5. IPtables works on an OS-level and is powerful enough for the job, so that's our weapon of choice.
nano /usr/local/ddos/ddos.conf
Change: APF_BAN=1
To: APF_BAN=0
Change: EMAIL_TO="root"
To: EMAIL_TO="you@yourdomain.com"
4. Continually monitor the action
Using the command from step 1, keep an eye on things and see that DDOS Deflate is doing its job. Also run the uptime command to watch server load averages. We'd normally run the top command, but if your server is having load issues, top will only add more CPU usage to your problem.
5. If the problem worsens
It's probably time to order a hardware appliance from your data center, like a Cisco Guard. Use it in conjunction with DDOS Deflate. That way you hit the attacker on two levels. First line of defense is your hardware appliance, second is DDOS Deflate.
Add to Favourites 
Print this Article
