Search code examples
phpbashfreebsdddosipfw

Simple anti DDoS protection in FreeBSD


I have a lot of request from data centers to my web server on FreeBSD and sometimes it've have a lot of performance problem with my web projects. Adding to IPFW list all IP's data centers is impossible.

I don't want to use a large Anti-DDoS systems, instead want to create bash script for getting connections to my server, filter by IP and add to IPFW table IP addresses which now connect in more than 5 threads. Or maybe creating several tables on IPFW, and adding by table:

  • 0 < 5: - nothing
  • 5 < 10: - table 1 (15 minutes ban)
  • 10 < 15: - table 2 (30 minutes ban)
  • 15 < 20: - table 3 (60 minutes ban)
  • more 20: - table 4 (1 day ban)

Filter by IP should to skip Google IP's and others search engines ip's by hostname.

It's my script for grep connections, and sorting:

netstat -nptcp | egrep -v 'Active|Address' | awk '{print $5}' | cut -d. -f 1-4 | sort | uniq -c | sort -n | tail -n 30

Parsing log files it is too bad idea, because the log file sometimes is big, and I must to additional resources web server to parse and sorting.

So, I've thought yet, maybe creating this script on PHP? But if PHP crashES, server will be not protected.

Are there any other considerations I need to be aware of?


Solution

  • Doing this work in PHP will be a bad idea; if you have any experience with the below mentioned scripting interfaces I would highly recommend that; otherwise you have no choice other than PHP in which it can be done with little bit of trouble.

    Crashing of PHP script is not that big problem in comparison to the issues listed below.

    1. You will have to grant superuser permission to your PHP script so that It can access the system resources, which could be very bad if your server is web facing.
    2. PHP won't be able to do the system level tasks such as accessing list of network connections, filtering and adding them to firewall config for blocking or so that well; it will be very painful to do that.

    You might want to try, BASH/Perl/Python whichever you feel comfortable with and create a separate script in sand boxed model (create a user and add permission for it in sudoers for only the required tasks and keep it away from the user running the webserver or any other task on internet)