防范DDOS攻击脚本开发

Posted Wiki of Richard_Liang

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了防范DDOS攻击脚本开发相关的知识,希望对你有一定的参考价值。

2018-05-04

要求:根据web日志或者或者网络连接数,监控当某个IP并发连接数或者短时内PV达到100,即调用防火墙命令封掉对应的IP,监控频率每隔3分钟。防火墙命令为:iptables -I INPUT -s 10.0.1.10 -j DROP。

 

1.主备一个测试用的web日志

access_2018-03-19.log

2.截取IP并统计IP出现的次数

[[email protected] ~]# awk {print $1} access_2018-03-19.log|sort|uniq -c|sort -rn -k1
     94 172.15.12.33
     58 172.15.12.24
      5 172.16.1.7

sort
 -n, --numeric-sort
 -r, --reverse

 -k, --key=POS1[,POS2]

   start a key at POS1 (origin 1), end it at POS2





3.编程


[[email protected] iptablestest]# vim ban_IP.sh




#!/bin/bash
##########################################################################
# File Name: ban_IP.sh
# Version: V1.0 
# Author:Richard Liang 
# Organization: richard
# Created Time: 2018-05-04 15:48:52
# Description:
##########################################################################

#!/bin/sh
#
[ -f /etc/init.d/functions ] && . /etc/init.d/functions
IP_file="/root/iptablestest/access_2018-05-04.log"
IP_filter_command="iptables -I INPUT -j DROP -s"
IP_recover_command="iptables -D INPUT -j DROP -s"

###IP检查#####
function IP_check(){
    awk {print $1} $IP_file|sort|uniq -c|sort -rn -k1 >/root/iptablestest/result.txt
}

#####封杀可疑IP######
function IP_filter(){
   exec < /root/iptablestest/result.txt
   while read line
   do
     IP_count=`echo $line|awk {print $1}`
     IP=`echo $line|awk {print $2}`
     IP_fil=`iptables -L -n|grep "\b${IP}\b"|wc -l`
     if [ ${IP_count} -gt 25 -a ${IP_fil} -eq 0 ];then
        ${IP_filter_command} ${IP}
        echo "${IP}" >> /root/iptablestest/ip_filtered.txt
        action "Filter ${IP}" /bin/true
     fi
   done
}
function IP_recover(){
   exec < /root/iptablestest/result.txt
   while read line
   do
     IP_count=`echo $line|awk {print $1}`
     IP=`echo $line|awk {print $2}`
     IP_fil=`iptables -L -n|grep "\b${IP}\b"|wc -l`
     if [ ${IP_count} -le 25 -a ${IP_fil} -eq 1 ];then
        ${IP_recover_command} ${IP}
        echo "${IP}" >> /root/iptablestest/ip_filtered.txt
        action "Recover ${IP}" /bin/true
     fi
   done
}
function main(){
    case "$1" in
      filter)
      IP_check
      echo "$(date +%F-%H:%M:%S) filtered by $(whoami)" >> /root/iptablestest/ip_filtered.txt
      IP_filter
      ;;
      recover)
      IP_check
      echo "$(date +%F-%H:%M:%S) recovered by $(whoami)" >> /root/iptablestest/ip_filtered.txt
      IP_recover
      ;;
      *)
      echo "USAGE:$0 {filter|recover}"
      exit 1
    esac
}
main $*




3.测试


[[email protected] iptablestest]# sh ban_IP.sh filter


新开窗口,watch iptables -nL,观测规则变化情况


 


修改web日志,减少ip数量,再次测试


sh ban_IP.sh recover


查看日志




[[email protected] iptablestest]# cat /root/iptablestest/ip_filtered.txt
2018-05-04-16:59:18 filtered by root
172.15.12.33
172.15.12.24
2018-05-04-17:00:23 recovered by root
172.15.12.33




定时任务


把脚本写进crontab,每隔3分钟运行一次sh ban_IP.sh filter


次日中午12点解封,sh ban_IP.sh recover


 
以上是关于防范DDOS攻击脚本开发的主要内容,如果未能解决你的问题,请参考以下文章
 

 直面ddos


 如何防范ddos攻击


 什么是DDoS攻击?如何防范DDoS攻击?


 防范DDOS攻击


 DDOS学习笔记(《破坏之王-DDOS攻击与防范深度剖析》)


 反射型 DDoS 攻击的原理和防范措施