-
Notifications
You must be signed in to change notification settings - Fork 5
/
Copy pathddosutil.conf
214 lines (159 loc) · 6.76 KB
/
ddosutil.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
##############################################################
# ddoSutil 1.0 russ@vigeek.net
# Configuration File
##############################################################
##############################################################
# General Settings
##############################################################
## Log file location
LOG_FILE="/var/log/ddosutil.log"
## Enable/Disable verbose (verbose off will limit console output)
VERBOSE="1"
## Chain Method: iptables or ipset
## ipset - recommended for performance, requires ipset installed.
CHAIN_METHOD="iptables"
## Send attacker statistics to vigeek?
## This helps us build our global block list of offending IP addresses.
SEND_STATS="1"
## Which ethernet interfaces should rules be applied to?
## Example: IFACE_LIST="eth0,eth1"
## This would also cover all aliased interfaces i.e ETH0:1
IFACE_LIST="eth0,wlan0"
##############################################################
# Firewall Builder
# We build a simple firewall with basic rules aimed at DDOS
# Under DDOS attack only open critical ports (i.e webserver,ssh)
# This will reserve bandwidth
##############################################################
## Enable/Disable firewall builder
## If disbled, we will append our rules to your existing firewall config.
FW_BUILDER="1"
## Inbound TCP ports, separated by comma, no space.
## Example: TCP_IN="22,80"
TCP_IN="22,80,2282"
## Inbound UDP ports, separated by comma, no space.
UDP_IN=""
## Drop packets in the INVALID state
DROP_INVALID="1"
## Drop fragmented packets.
DROP_FRAGMENTED="1"
## Drop NULL packets.
DROP_NULL="1"
## Drop XMAS packets
DROP_XMAS="1"
## Currently we allow all outbound connections to limit rule processing.
##############################################################
# Connection Limit - Limit the amount of connections per IP
##############################################################
## Enable/disable connection limiting functionality.
CONN_LIMIT="1"
## Which ports to limit? Preferably the port being attacked.
## Example: LIMIT_PORTS="80,8443"
LIMIT_PORTS="80"
## Maximum connections allowed per IP address.
## Set this relatively low if under attack.
CONN_MAX="5"
##############################################################
# SYN Flood Throttling & Protection
##############################################################
## Enable SYN limiting.
SYN_LIMIT="1"
## Limit Burst Rate
## Adjust 1-5 seconds, depending on aggressiveness desired.
SYN_BURST_RATE="3/s"
## Enable SYN cookies.
## Uses SYN cookies to verify that SYN packets are legit.
SYN_COOKIES="1"
# Setting this to 0 will leave default SYN_ACK & SYN_ACK_RETRY values.
SYN_RETRIES="1"
## SynAck Retries. (Linux default is 5)
## Maximum attempts to retransmit SYN,ACK reply to SYN requests.
## Under attack setting to 1-3 is suggested.
SYN_ACK_RETRY="3"
## SYN Retries. (Linux default is 5)
## Maximum attempts to retransmit SYN replies.
SYN_RETRY="3"
##############################################################
# Timeout Reduction & Backlog Queue (useful for SYN attacks).
# Suggested: On (1) - 0 disables.
##############################################################
## This will reduce connection timeouts.
## Decreasing the time a attacking connection sits in queue.
TIMEOUT_REDUCE="1"
## Increase the backlog queue for half open connections.
## To see current value: cat /proc/sys/net/ipv4/tcp_max_syn_backlog
## Default is usually anywhere from 128-1024 (depending on OS/memory)
## Recommended setting during ddos (1GB mem+): 2048-4096
BACKLOG_QUEUE="2048"
## Reuse Time_Wait requests.
## This will resuse connections in time_wait for other requests.
TW_REUSE="1"
## Disable packet retransmission.
DISABLE_RETRANSMIT="0"
##############################################################
# dShield - Blocks networks exhibiting suspicious activity
# Creates chain named: [dshield-list]
##############################################################
DSHIELD_BLOCK="1"
##############################################################
# Abuse.ch - Blocks list of known botnets from Zeus Tracker
# Creates chain named: [zeus-list]
##############################################################
ZEUS_BLOCK="1"
##############################################################
# viGeek.net - We maintain a small list of offender networks
# Creates chain named: [viGeek-list]
##############################################################
VIGEEK_BLOCK="1"
##############################################################
# IANA Reserved IP Range - Block
# Creates chain named: [IANA-list]
##############################################################
## This blocks IANA Reserved IP space, commonly spoofed.
IANA_BLOCK="1"
##############################################################
# Cymru Bogon Block (blocks some bogus IP ranges)
# Creates chain named: [bogon-list]
##############################################################
BOGON_BLOCK="1"
##############################################################
# geoIP - Block entire countries from your server
# Creates a chain for each country named: [country-name]
# Suggested if most of attack originating from single country
##############################################################
## Enable or disable geoIP blocking.
GEOIP_BLOCK="0"
## Country list, separted by comma, no space.
## Blocking large countries or multiple may cause performance issues.
## Example: GEO_LIST="nigeria,south korea"
GEO_LIST=""
##############################################################
# System Hardening - ipv4/sysctl counter ddos measures.
# Suggested: On (1) - 0 disables.
##############################################################
## Enables common sysctl/ipv4 settings to cope with ddos.
DDOSUTIL_HARDEN="1"
## Increase connection handling capacity?
## Increase connectivity backlog/queues, disable for VM's.
DDOSUTIL_UP_QUEUE="1"
##############################################################
# Spoofing Protection - Helps deal with spoofed attacks.
# Suggested: On (1) - 0 disables.
##############################################################
## Enable general anti-spoofing functionality.
SPOOF_PROTECT="1"
##############################################################
# ddoSutil-deflate.pl daemon (ddos-deflate functionality).
# This will spawn deflate daemon after running ddosutil.sh.
# Checks the amount of connections per IP address.
# Blocks connections over the defined threshold.
##############################################################
## Spawn deflate daemon after running ddosutil.sh
DEFLATE_D="1"
## Threshold, maximum connections per IP address
DEFLATE_THRESHOLD="10"
##############################################################
# Connection Killer.
# This will kill the pids associated with blocked IP addresses.
##############################################################
CONN_KILLER="0"