DDOS-Blocking attacking IPs

Use the below script to block IP addresses making too many connections.

#!/bin/bash
if [ -e ip-list.txt ]
then
rm -f ip-list.txt
fi
netstat -tpn|grep :80|awk '{print $5}'|cut -d ':' -f 1|sort |uniq -c|sort -n -k 1|awk '{if ($1 > 30) {print $2}}' >> ip-list.txt
if [ -s ip-list.txt ]
then
for ip in $(cat ip-list.txt)
do
/usr/sbin/csf -d $ip >/dev/null 2>$1
done
fi

Sometimes, the Massive Ddos attacks cannot be stopped using CSF firewall due to heavy connections in small time period. In such cases, you need to “grep” the Attacking pattern from Domlogs and then block it via IPtables using the following script.

!/bin/bash
iplist=$(tail -5000 /usr/local/apache/domlogs/domain.com |grep "Pattern" |awk '{print $1}' | sort -u)
for address in ${iplist}; do
iptables -I INPUT -p tcp -s ${_address} -j DROP
iptables -I INPUT -p udp -s ${_address} -j DROP
done

We highly recommend you to open a ticket via your Client Area, whenever you see a DDOS attack.