Lately seems like ddos-deflate has been adding IPv4 bans with ::ffff: into the ip6tables list and doesn't block anything.

Edit 1:
Even though I say "lately" it's just because I updated the ddos-deflate the other day from mater git.
Also oh... I probably should mention I'm currently running Debian GNU/Linux 9.11 (stretch)

ddos.log example:
(Replaced real IP with 0's
[2019-10-30 10:44:30] banned ::ffff:0.0.0.0 with 453 connections for ban period 3600
[2019-10-30 10:46:07] banned ::ffff:0.0.0.0 with 450 connections for ban period 3600
[2019-10-30 10:46:09] banned ::ffff:0.0.0.0 with 453 connections for ban period 3600

ip6tables -nvL INPUT --line-numbers
Chain INPUT (policy DROP 11 packets, 880 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 DROP all * * ::ffff:0.0.0.0 ::/0
2 0 0 DROP all * * ::ffff:0.0.0.0 ::/0
3 0 0 DROP all * * ::ffff:0.0.0.0 ::/0

Edit 2:
Tried reinstalling version 1.3 instead of git master. Will inform later on findings.

The idea would be to add the functionality to block a subnet with simultaneous connections into the server when exceeding a maximum allowed number of connections per subnet that gets activated when the number of clients on the same subnet reach a defined amount.

For example, lets say the following ip addresses belonging to same block/subnet have opened connections to your server:

Conn.      IP
------------------------
80         1.1.1.1
85         1.1.1.2
99         1.1.1.3
30         1.1.1.4

So the sum of total connections would be 294 for 4 clients that belong to the same subnet. Now lets assume we have this new rules: MAX_SUBNET_CONNS=250 for MAX_SUB_CLIENTS=3

This would mean allow a maximum of 250 connections for a whole subnet when 3 or more clients from the same subnet are connected. The example given above would result in blocking all the subnet ip addresses, this way it may be more possible to stop attacks coming from some one controlling equipment behind the same address space.

Ideas, suggestions and point of views are welcome :)

Hi,
I have added all the CloudFlare IPs to my ignore list, but IPs within that range are still getting banned.
Example: 108.162.192.0/18 ignored, yet 108.162.229.32 still banned.
I'm not sure if IP Range compatibility was intended, but I think it would be very useful.
Thanks.

ss version shipped with Debian 8 and 9 may also be too old.

We're seeing a similar issue with Debian 8 and 9. What is the minimum version of ss that ddos requires?

It seems the ss version shipped with that centos version is too old. In order to fix this I would need to add some option to force netstat usage if the ss version is old....

You can also try a more recent version of centos.

Originally posted by @jgmdev in #54 (comment)

Hello.
I've whitelisisted my IP, restarted the daemon and I am still getting banned after reaching the connection limit. "ddos --i" shows my IP as whitelisted so it should work. System is Debian 6, running as daemon.

Greetings.

Is it normal? Should I exclude 127.0.0.1 and ::1 addresses from netstat analize?
For example, I'm not use ipv6 and this is strange

Banned the following ip addresses on Sun Apr 3 06:25:40 EEST 2016

::1 with 252 connections

Guys,

I have a problem here. Could I ask you for some help or at least detailed advice?
I am running a pihole server on a vps. On the same vps is a dns server installed called
unbound.

In fact only port 53 is open, the port where unbound directly listens to queries
is closed from outside. Only 127.0.0.1 (pihole server) can send queries there.

Now, since 3 days I am victim of a massive attack. 60000 queries.....
The funny part, only 0.1 % of the queries are filtered by pihole, like someone has access to
unbound directly, which as far as my knowledge goes is impossible.

I installed your app in hope to block this DDOS or dynamic DDOS attacks, but it doesn't work.
the app seems running on the server, but doesn't block port 53

When I do: ddos --view-port 53
i get: 1 118.24.147.252:63498

so I can see a chinese from Qinzhou, somewhere left of Hong-Kong with ip 118.24.147.252
is attacking me, but the app doesn't block him on port 53...
(Or at least his vpn provider has a server there.)

Is there anything i can do to focus on port 53?
I am a beginner and student in this stuff, and I know I took a risk in deploying a dns.
But from mistakes you learn, no?

Thanks for any help.

UPDATE:

When I do:
ddos --view-port 53

He changes his ip adres every time....
1 118.24.147.252:43401
root@user:/etc/ddos# ddos --cron
Warning: this feature is deprecated and ddos-deflate should be run on daemon mode instead.
root@user:/etc/ddos# ddos --start
ddos daemon is already running...

Can I manually add banned ip's?

there is something I really do not understand here.....
When I bypass the program and do a hard:

iptables -I INPUT -s 118.24.147.252 -j DROP

to block at least that ip address, and afterwards I do a
ddos --view-port 53,

the response is:

1 118.24.147.252:8550
1 118.24.147.252:13183

So, I block it an they still manage to get queries???? am I missing something here?
Can Chinese admins bypass iptable firewalls?

oh, before you ask for it, I forgot to add this:

root@user:/etc/ddos# ddos --start
ddos daemon is already running...

Here are some nice suggestions that could be optionally applied (by a conf flag) into iptables and ip6tables at the start of the ddos daemon with neccesary /proc/sys/ changes...

https://javapipe.com/ddos/blog/iptables-ddos-protection/

Hello,
i want to script to listen all the ports specified or in a particular range .
I need your suggestions ?
Thanks

For about an hour install is stuck at "Activating ddos service"

Hi,
I found a bug. When I try to launch the cron, a message appear with :
/etc/init.d/ddos: line 25: /lib/lsb/init-functions: file or directory not found

A post (http://unix.stackexchange.com/questions/9314/no-such-file-or-directory-etc-init-d-functions) advises to install the package "redhat-lsb" with yum, but it want to install 65 additionnal packages...

I continue my research.

Thank you for this "fork", I love this tool ! I use it since 3 years now ! 😄

[2017-10-12 17:40:50] banned 2001:xxxx:2:xxx: with 155 connections for ban period 600
[2017-10-12 17:51:24] unbanned banned 2001:xxxx:2:xxx:
[2017-10-12 19:26:34] banned banned 2001:xxxx:2:xxx: with 174 connections for ban period 600
[2017-10-12 19:37:28] unbanned banned 2001:xxxx:2:xxx:
[2017-10-12 20:14:05] banned 2banned 2001:xxxx:2:xxx: with 154 connections for ban period 600
[2017-10-12 20:24:13] unbanned banned 2001:xxxx:2:xxx:

Temporary solution add my ipsv6 to the ignore.ip.list file

When will you have support for ipv6? Thanks!

hello
this script have problem to show ips
for example if i use ddos -v this is displayed
::ffff:xxx.xxx.xxx.xxx
and after blocking in csf isee this
::ffff:

this script cant block real ip

thank you

Hey there,

I'm not if this is an issue of DDoS Deflate or just incompatibility with the old Ubuntu 14 (server), but I get this error while using ddos.sh:
ss: invalid option -- 'H'

Any idea about how to solve?

Cheers

https://github.com/msergiy87/ddos-deflate-custom

Hi,

I'm wondering, how to add ip familia to ignore.ip.list.

Like
123,225,567,34
123,225,567,35
123,225,567,36
and more ip have in a service, i dont know all ips, for this i can add as familia to ignore.ip.list like "123,225.*", possible?

My version is CentOS Linux release 7.6.1810 (Core)

There is no output with these commands :

ddos -v -4
ddos -v4
ddos -v 4
ddos -v[4|6]
ddos -v[4]

I can't get it running on debian

1. systemctl start ddos
-bash: systemctl: command not found

2. sudo /usr/local/ddos/ddos.sh -c
Warning: this feature is deprecated and ddos-deflate should be run on daemon mode instead.

3. service ddos restart
ddos: unrecognized service

4. /etc/init.d/ddos restart
-bash: /etc/init.d/ddos: No such file or directory

Hello,

when an IP is blocked i am sent an e-mail by the ddos.sh where i add links to the services like:

https://www.abuseipdb.com/check/54.172.1.44
http://blacklist.myip.ms/54.172.1.44
https://censys.io/ipv4/54.172.1.44/whois
https://cymon.io/54.172.1.44

Discover accessed domain: /bin/sh /scripts/ip2logfile 54.172.1.44

This way i can see details or abuse reports for this IP and i can manualy execute my ip2logfile script to check various log files for this IP and see what that IP was doing. But i do not include this script output into mailfile nor netstat details into mailfile not to put high load on server when it is "attacked" by bad IP's.

Is it good idea, or do you suggest any commands that can tell me as much details about attacking IP as possible?

I tried:

echo "First 100 netstat entries:\n"
netstat -ntu | tr -d \r|grep "$CURR_LINE_IP"|head -n 100 >> "$BANNED_IP_MAIL"

and a few other ways, but it never appear in the e-mail. Or do you suggest other way to discover/record as much data about IP as possible?

the script coulnd get all the ip addresses of the server interfaces when running xen dom0.
ifconfig does not show aliases for the bridge interface xenbr0 so server blocks his own ip-s.

i changed the line

SERVER_IP_LIST=ifconfig | grep "inet " | awk '{print $2}' | sed "s/addr://g" | xargs | sed -e 's/ /|/g'

to
SERVER_IP_LIST=( hostname -I ; echo 127.0.0.1 ) | cat | sed ':a;N;$!ba;s/\n/ /g' | sed 's/[[:space:]]\{1,\}/|/g' | sed s'/.$//'

Now everything works as expected.

Keep up the good work.

Your Program is not compatible with another Distributionen like Ubuntu or Debian.

Can you rewrite the Code for Ubuntu/Debian?

On Debian Buster, nftables is the default instead of iptables.
NFTables becomes more used.
Implement it on DDOSDeflate would allow to use it more reliably on Debian Buster for example and for users who now use NFTables.

IPv6 was implemented by using ss to properly display connections and ip6tables to block excessive connections. Still it hasn't been implemented for block_incoming only and needs testing.

Any testing appreciated.

@jgmdev hello，i use centos7.4 system and installed this script. but it not work. i found my system have no “grepcidr”, so i want to install “grepcidr” by command "yum install grepcidr"，it shows error："No package grepcidr available."
so, i want to konw how to solve it. where i can download your grepcide and install it. thanks.

Syntax Error:

# ddos
/usr/local/ddos/ddos.sh: line 325: syntax error near unexpected token `('
/usr/local/ddos/ddos.sh: line 325: `        grepcidr "$IGNORE_IP" <(echo "$CURR_LINE_IP") >/dev/null && continue || IP_BAN_NOW=1'

The correction was:

# vim /usr/local/ddos/ddos.sh +325
------------------------------------------------------------------------------
FROM:
grepcidr "$IGNORE_IP" <(echo "$CURR_LINE_IP") >/dev/null && continue || IP_BAN_NOW=1

TO:
grepcidr "$IGNORE_IP" < $(echo "$CURR_LINE_IP") >/dev/null && continue || IP_BAN_NOW=1

Hello,

We use this on web server and it working good, but we also have proftpd in passive mode with (PassivePorts 49152 65535) and if we transfer many files proftpd create many connections and ban ip.
Please add port-range white list.

I need to run the following command to create a list of IP addresses connected to the server, along with their total number of connections.
ss -Hntu | awk '{print $6}' | sort | uniq -c | sort -nr

We receive the following error:

ss: invalid option -- 'H'
Usage: ss [ OPTIONS ]
       ss [ OPTIONS ] [ FILTER ]
   -h, --help           this message
   -V, --version        output version information
   -n, --numeric        don't resolve service names
   -r, --resolve       resolve host names
   -a, --all            display all sockets
   -l, --listening      display listening sockets
   -o, --options       show timer information
   -e, --extended      show detailed socket information
   -m, --memory        show socket memory usage
   -p, --processes      show process using socket
   -i, --info           show internal TCP information
   -s, --summary        show socket usage summary

   -4, --ipv4          display only IP version 4 sockets
   -6, --ipv6          display only IP version 6 sockets
   -0, --packet display PACKET sockets
   -t, --tcp            display only TCP sockets
   -u, --udp            display only UDP sockets
   -d, --dccp           display only DCCP sockets
   -w, --raw            display only RAW sockets
   -x, --unix           display only Unix domain sockets
   -f, --family=FAMILY display sockets of type FAMILY

   -A, --query=QUERY, --socket=QUERY
       QUERY := {all|inet|tcp|udp|raw|unix|packet|netlink}[,QUERY]

   -D, --diag=FILE      Dump raw information about TCP sockets to FILE
   -F, --filter=FILE   read filter information from FILE
       FILTER := [ state TCP-STATE ] [ EXPRESSION ]

Is there a known workaround?

Since this tool is no longer developed and can't provide protection in case we use cdn like cloudflare. If anyone needs please take a look on my approach here - https://github.com/karek314/ddos-deflate-nginx-cloudflare

Can this updated version be based on centos 7.x or higher only? My system is centos 6.3 x64 bit, run ss -Hntu | awk '{print $6}' | sort | uniq -c | sort -nr command prompt ss: invalid option -- 'H'

Hi jgmdev,

I remembered Cloudflare has a feature for banning and unbanning IP thru curl. And i found this bash script example: https://gist.github.com/pjv/926ece8549cd45bac4821945f6ad253c

The scenario would be:

1. For initial ddos---ban via iptables using predefined time.
2. For repeat/continuous ddos by the same ip --- use CF_BAN using longer predefined time.

I hope this can be added as an additional layer of protection like ENABLE_CF_BANNING=TRUE

Thanks!

Hello, i used different version of the ddos-deflate and it blocked cloudflare's IP

I see this version is having some cloudflare feature, but i do not know if it would be effective.

Numerous of the hosted sites are using cloudflare. This is Apache + Cachewall with utilize Varnish cache + cloudflare_module

Next thing i want to ask is if it is correct the cloudflare IPs be blocked (that blocked IP shown roughly 3 hundred connections).

I tried to add CF IP ranges in CIDR format into ignore list, but that not worked for the script to match the IPs to the subnet: Amet13/ddos-deflate#4

After installing everything successfully, ddos command return following error: $CONF not found.
Everything that ddos command return:

/usr/local/ddos/ddos.sh: 25: [: /etc/ddos/ddos.conf: unexpected operator
DDoS-Deflate version 0.9
Copyright (C) 2005, Zaf <[email protected]>

$CONF not found.

Running on Ubuntu 16.10 x32 with ddos-deflate v0.9
Notes:

• Previously did not have any problem installing and running ddos-deflate
• I've reinstalled multiple times with no success

/etc/ddos/ignore.host.list support wildcard domain？
eg:
*.google.com
*.facebook.com

Hello, I don't see any usage of ip6tables (https://github.com/jgmdev/ddos-deflate/search?utf8=%E2%9C%93&q=ip6tables), is the script compatible with IPv6 ? If not, is any of its forks ?

cat /etc/cron.d/ddos

0-59/1 ChangeLog config install.sh LICENSE Makefile man README.md src uninstall.sh ChangeLog config install.sh LICENSE Makefile man README.md src uninstall.sh ChangeLog config install.sh LICENSE Makefile man README.md src uninstall.sh ChangeLog config install.sh LICENSE Makefile man README.md src uninstall.sh root /usr/local/sbin/ddos -k >/dev/null 2>&1

Hi,
I 'm using EasyEngine on Ubuntu 14.04 LTS. I have found ddos service doesn't start at boot. I always start it manually.

Why not support blacklist?

Hello! I recently install in a new machine the script "ddos" but using the command ddos -v appear again the help commands list.

https://snag.gy/Yw0j8t.jpg

I try with the below options without success:

ddos -v -4
ddos -v4
ddos -v 4
ddos -v[4|6]
ddos -v[4]

My OS is: CentOS release 6.9.

Thank you

.

since there are tons of cloudflare ips to whitelist, is it working when i do it like that?

111.222.*.*
33.44.55.*
etc

hi jgmdev,

I installed this on centos 7 and when i tried to simulate ddos in my server/site, the ddos -v lists the various Cloudflare IPs as the attacker, and the connection count range from ~1 - ~100, effectively not blocking anything below the treshold.

Can you help how can this be fixed? The bulk of attack is from Cloudflare IP itself

BANDWIDTH_CONTROL has too hight cpu usage to be usable. constant >10% (DAEMON_FREQ is set to 10 seconds)

I suspect something is wrong, because iftop wasn't installed, though last release says "Added iftop as new dependency". I installed it but nothing changed.

With BANDWIDTH_CONTROL=false cpu is not used, so it is bandwidth monitoring problem.

Just reporting. Probably needs some checking before using it. May be some broken loop is going here because of DAEMON_FREQ=0?
Command like "ddos -v4" for bandwidth_control would be great, so we can know does it works at all.

Hello,

I have to whitelist Cloudflare's IPs on ddos-deflate, otherwise they get banned.

But all the IPs are in this form : 103.21.244.0/22 and the script is not compatible with that :(

Hello guys,

awesome script work like a charm but there is something strange here :)

Is there any meaningful explanation of those 2 lines of code:
https://github.com/jgmdev/ddos-deflate/blob/master/src/ddos.sh#L125-L126

Hello,
I have uninstall an older version of your script (0.7), then install the new one (lastest 0.8), but it show an error:

error: Required dependency 'tcpkill' is missing.

I'm using EasyEngine on Ubuntu 14.04.3 LTS
Thank you,

//Fixed: Install dsniff package
I think you should auto install Dsniff for ubuntu/debian user.

Hello
Unfortunately there is no tcpkill package in Debian Wheezy repository and I can't install and use it.
Thanks

I have created a fork of this repository and added the code needed to support BSD operating systems. While the additions are currently undergoing testing, my overall goal is to have these changes incorporated into this project (pull request).

For those who are interested:
https://github.com/nuxy/ddos-deflate-ipfw

http://deflate.medialayer.com/

this site is not opening