DDoS Deflate - Shell Script For Blocking DDoS Attacks

DDoS Deflate - Simple Shell Script For Blocking DDoS Attacks

DDoS Deflate is a lightweight bash shell script designed to assist in the process of blocking a denial of service attack. It is one of the simplest and easiest solutions at the software level.

If you don't know anything about Denial of Service Attacks, read the following Wikipedia article:

How it works: It tracks and monitors all the IP addresses making connections to the server by using the netstat command. Whenever it detects the number of connections from a single node exceeding certain pretest limits which are defined in the configuration file, the script will automatically block that IP address through the IP tables or APF according to the configuration.

It utilizes the command below to create a list of IP addresses connected to the server, along with their total number of connections.
netstat -an | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n


  • It is possible to whitelist IP addresses, via /etc/ddos/ignore.ip.list.
  • It is possible to whitelist hostnames, via /etc/ddos/ignore.host.list.
  • Simple configuration file: /etc/ddos/ddos.conf
  • IP addresses are automatically unblocked after a preconfigured time limit (default: 600 seconds)
  • The script can run as a cron job at chosen frequency via the configuration file (default: 1 minute)
  • The script can run as a daemon at chosen frequency via the configuration file (default: 5 seconds)
  • You can receive email alerts when IP addresses are blocked.
  • Control blocking by connection state (see man netstat).
  • Auto-detection of firewall.
  • Support for APF, CSF, ipfw, and iptables.
  • Logs events to /var/log/ddos.log
  • Uses tcpkill to reduce the number of processes opened by attackers.

How To Install DDoS Deflate

As root user execute the following commands:
wget https://github.com/jgmdev/ddos-deflate/archive/master.zip
unzip master.zip
cd ddos-deflate-master

How To Use DDoS Deflate

After installing the DDoS Deflate, modify the config files to fit your needs.


On this file you can add a list of host names to be whitelisted, for example:


On this file you can add a list of ip addresses to be whitelisted, for example:


The behaviour of the ddos script is modified by this configuration file.

After you modify the config files you will need to restart the daemon. If running on systemd:
systemctl restart ddos

If running as classical init.d script:
/etc/init.d/ddos restart
service ddos restart

If you are running the script as a cronjob, no restarting is required.


ddos [OPTIONS] [N]
N : number of tcp/udp connections (default 150)


-h | --help: Show the help screen.

-c | --cron: Create cron job to run the script regularly (default 1 mins).

-i | --ignore-list: List whitelisted ip addresses.

-b | --bans-list: List currently banned ip addresses.

-d | --start: Initialize a daemon to monitor connections.

-s | --stop: Stop the daemon.

-t | --status: Show status of daemon and pid if currently running.

-v | --view: Display active connections to the server.

-k | --kill: Block all ip addresses making more than N connections.

No comments

Powered by Blogger.