What is DDoS deflate?
DDoS deflate is a free, lightweight DDoS attack mitigation tool for Linux servers. It works by monitoring network connections, automatically identifying and blocking IP addresses with abnormal connection counts, thereby reducing the impact of DDoS attacks.
How it works: It periodically runs the netstat command to count connections per IP. When an IP's connection count exceeds a preset threshold, it is automatically blocked for a set duration via iptables or APF firewall rules.
How to Check if Your Server is Under DDoS Attack
Run the following command on your server to view connection counts per IP:
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nSample Output & Interpretation:
1 180.97.35.21
1 180.97.35.36
1 66.249.79.58
2 117.136.74.158
2 171.214.239.34
3 223.114.118.65
37 106.187.34.20
133 106.187.36.20
157 106.187.35.20A few to dozens of connections per IP is typically normal traffic. If you see a single IP with hundreds or thousands of connections, it is likely DDoS attack traffic.
Installing DDoS deflate
Note: The original official source is defunct. Use the maintained GitHub version.
Method 1: Using the GitHub version (Recommended)
git clone https://github.com/jgmdev/ddos-deflate.git
cd ddos-deflate
./install.shMethod 2: Using the legacy install script (may be outdated)
wget http://www.inetbase.com/scripts/ddos/install.sh
chmod 0700 install.sh
./install.shConfiguring DDoS deflate
The configuration file is located at: /usr/local/ddos/ddos.conf. Edit it with a text editor like vi or nano:
vi /usr/local/ddos/ddos.confKey Configuration Options:
# Script execution frequency (minutes)
FREQ=1
# Max connections per IP to trigger a ban
NO_OF_CONNECTIONS=150
# Ban method: 1=APF, 0=iptables (recommended)
APF_BAN=0
# Execute ban: 1=YES, 0=NO (detection only)
KILL=1
# Email address for ban notifications
EMAIL_TO="[email protected]"
# Ban duration (seconds)
BAN_PERIOD=600Important Fix: Older script versions may fail due to netstat output containing non-IP text (e.g., "Address"). Check and modify /usr/local/ddos/ddos.sh (around line 117):
Original line (potentially problematic):
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr > $BAD_IP_LISTSuggested modification:
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sed -n '/[0-9]/p' | sort | uniq -c | sort -nr > $BAD_IP_LISTAdding the sed command filters out non-numeric lines, preventing parsing errors.
Usage and Management
Starting and Stopping
- After installation, a cron job is automatically added, checking connections every minute by default.
- Run the script manually:
/usr/local/ddos/ddos.sh
Checking Status and Logs
- List of blocked IPs:
/usr/local/ddos/ddos.log - IP whitelist (ignored IPs):
/usr/local/ddos/ignore.ip.list(add trusted IPs here)
Uninstalling DDoS deflate
wget http://www.inetbase.com/scripts/ddos/uninstall.ddos
chmod 0700 uninstall.ddos
./uninstall.ddosOr run directly: /usr/local/ddos/uninstall.sh (if it exists).
Notes and Limitations
- Suitable for: DDoS deflate is primarily effective against small-scale connection-based DDoS attacks (e.g., SYN floods, CC attacks).
- Limitations: It has limited effectiveness against large-scale distributed attacks (Gbps/Tbps level) or complex application-layer attacks.
- Recommended Combined Approach:
- Infrastructure Protection: Use DDoS-protected IPs or cloud firewalls from your hosting provider.
- DNS Protection: Use intelligent DNS services with DDoS protection like Cloudflare or DNSPod.
- Server Layer: Combine DDoS deflate with iptables rules and web server (e.g., Nginx) rate-limiting modules.
In summary, DDoS deflate is a simple, useful supplementary defense tool, suitable as part of server security hardening, but it is not a replacement for professional DDoS protection services.