PDA

View Full Version : Anti DDOS script collection thread



kung foo man
17th December 2013, 20:25
At first, the normal firewall script (origin somewhere from icculus mailing list?):

Create file ddos.sh
# chmod +x ddos.sh
# ./ddos.sh



# reset iptables
iptables --flush

# add a host to the banlist and then drop the packet.
iptables -N QUERY-BLOCK
iptables -A QUERY-BLOCK -m recent --set --name blocked-hosts -j DROP

# is this a query packet? if so, block commonly attacked ports outright,
# then see if it's a known attacking IP, then see if it is sending at a high
# rate and should be added to the list of known attacking IPs.
iptables -N QUERY-CHECK
iptables -A QUERY-CHECK -p udp -m string ! --string "getstatus" --algo bm --from 32 --to 41 -j RETURN
iptables -A QUERY-CHECK -p udp --sport 0:1025 -j DROP
iptables -A QUERY-CHECK -p udp --sport 3074 -j DROP
iptables -A QUERY-CHECK -p udp --sport 7777 -j DROP
iptables -A QUERY-CHECK -p udp --sport 8002 -j DROP
iptables -A QUERY-CHECK -p udp --sport 27015:27100 -j DROP
iptables -A QUERY-CHECK -p udp --sport 25200 -j DROP
iptables -A QUERY-CHECK -p udp --sport 25565 -j DROP

# is it already blocked? continue blocking it and update the counter so it
# gets blocked for at least another 30 seconds.
iptables -A QUERY-CHECK -m recent --update --name blocked-hosts --seconds 30 --hitcount 1 -j DROP
# check to see if it exceeds our rate threshold,
# and add it to the list if it does.
iptables -A QUERY-CHECK -m hashlimit --hashlimit-mode srcip --hashlimit-name getstatus --hashlimit-above 20/second -j QUERY-BLOCK

# look at all the packets going to q3/cod*/et/etc servers
iptables -A INPUT -p udp --dport 27960:29000 -j QUERY-CHECK


Would like to see the DDOS-check-commands etc.

RobsoN
17th December 2013, 20:29
Very big thanks for you.

P.S: Greets to Yuri ;)

YuriJurek
17th December 2013, 21:46
Thanks, thanks, thanks I know I am great :D

valens
6th February 2017, 19:46
is there a command for Windows Firewall?

raphael
6th August 2023, 19:22
from icculus mailing list?
yes: http://icculus.org/pipermail/cod/2012-January/015861.html

http://icculus.org/pipermail/cod/2012-March/016004.html looks nice too