Results 1 to 5 of 5

Thread: Anti DDOS script collection thread

  1. #1
    Assadministrator kung foo man's Avatar
    Join Date
    Jun 2012
    Location
    trailerpark
    Posts
    2,010
    Thanks
    2,102
    Thanked 1,084 Times in 753 Posts

    Anti DDOS script collection thread

    At first, the normal firewall script (origin somewhere from icculus mailing list?):

    Create file ddos.sh
    # chmod +x ddos.sh
    # ./ddos.sh

    PHP Code:
    # reset iptables
    iptables --flush

    # add a host to the banlist and then drop the packet.
    iptables -N QUERY-BLOCK
    iptables 
    -A QUERY-BLOCK -m recent --set --name blocked-hosts -j DROP

    # is this a query packet? if so, block commonly attacked ports outright,
    # then see if it's a known attacking IP, then see if it is sending at a high
    # rate and should be added to the list of known attacking IPs.
    iptables -N QUERY-CHECK
    iptables 
    -A QUERY-CHECK -p udp -m string ! --string "getstatus" --algo bm --from 32 --to 41 -RETURN
    iptables -A QUERY-CHECK -p udp --sport 0:1025 -j DROP
    iptables 
    -A QUERY-CHECK -p udp --sport 3074 -j DROP
    iptables 
    -A QUERY-CHECK -p udp --sport 7777 -j DROP
    iptables 
    -A QUERY-CHECK -p udp --sport 8002 -j DROP
    iptables 
    -A QUERY-CHECK -p udp --sport 27015:27100 -j DROP
    iptables 
    -A QUERY-CHECK -p udp --sport 25200 -j DROP
    iptables 
    -A QUERY-CHECK -p udp --sport 25565 -j DROP

    # is it already blocked? continue blocking it and update the counter so it
    # gets blocked for at least another 30 seconds.
    iptables -A QUERY-CHECK -m recent --update --name blocked-hosts --seconds 30 --hitcount 1 -j DROP
    # check to see if it exceeds our rate threshold,
    # and add it to the list if it does.
    iptables -A QUERY-CHECK -m hashlimit --hashlimit-mode srcip --hashlimit-name getstatus --hashlimit-above 20/second -j QUERY-BLOCK

    # look at all the packets going to q3/cod*/et/etc servers
    iptables -A INPUT -p udp --dport 27960:29000 -j QUERY-CHECK 
    Would like to see the DDOS-check-commands etc.
    timescale 0.01

  2. The Following 6 Users Say Thank You to kung foo man For This Useful Post:

    kubislav23 (6th February 2017),raphael (6th August 2023),RobsoN (17th December 2013),smect@ (18th December 2013),Whiskas (5th February 2017),YuriJurek (17th December 2013)

  3. #2
    Private First Class RobsoN's Avatar
    Join Date
    Jan 2013
    Location
    /home/cod2/
    Posts
    230
    Thanks
    119
    Thanked 95 Times in 64 Posts
    Very big thanks for you.

    P.S: Greets to Yuri
    Last edited by RobsoN; 17th December 2013 at 20:34.
    "Don't worry if your code doesn't work correctly - if everything worked, you would not work" ~Mosher's right

  4. #3
    Private First Class YuriJurek's Avatar
    Join Date
    Jun 2013
    Posts
    219
    Thanks
    152
    Thanked 88 Times in 47 Posts
    Thanks, thanks, thanks I know I am great

  5. #4
    Private valens's Avatar
    Join Date
    Dec 2016
    Posts
    29
    Thanks
    14
    Thanked 21 Times in 21 Posts
    is there a command for Windows Firewall?

  6. #5
    Deleter/Deleted
    Join Date
    Jan 2023
    Posts
    76
    Thanks
    40
    Thanked 9 Times in 9 Posts
    Quote Originally Posted by kung foo man View Post
    from icculus mailing list?
    yes: http://icculus.org/pipermail/cod/201...ry/015861.html

    http://icculus.org/pipermail/cod/2012-March/016004.html looks nice too
    Last edited by raphael; 6th August 2023 at 20:48.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •