You are currently viewing How to Install and Uninstall DDoS Deflate on a Linux Server

How to Install and Uninstall DDoS Deflate on a Linux Server

Distributed Denial of Service (DDoS) attacks are becoming a threat to web and network servers, resulting in system overloads and downtimes. It is a shell script designed to help mitigate DDoS attacks. It identifies the IP addresses that exceed the number of connections and blocks them. 

In this blog, we’ll explore how to install, configure, and uninstall DDoS Deflate on a Linux server.

What is DDoS Deflate?

DDOS Deflate is a lightweight bash shell script that prevents DOS attacks. It is not completely effective against large-scale DDOS attacks, but it is useful. It uses the netstat command to track and monitor all IP addresses that connect to the server. When it detects that the number of connections from a single node exceeds specified pretest limitations defined in the configuration file, the script automatically blocks that IP address using IP tables or APF as configured. We may use the following command to get a list of IP addresses connected to the server, as well as the total number of connections.

Why Linux Servers Need DDoS Protection?

Linux servers need DDoS protection to ensure uptime, prevent service disruptions, and protect resources from being overwhelmed by malicious traffic. Without protection, DDoS attacks can cause significant downtime, financial losses, and damage to a server’s reputation, especially for businesses relying on continuous online services.

How DDoS Deflate Works

DDoS deflate monitors the number of connections each IP address makes to your Linux server. It scans active network connections regularly to determine how many concurrent connections an IP address has open. 

Here’s how DDoS Deflate functions step-by-step:

  1. Monitor Network Connections: DDoS Deflate regularly checks for active network connections to the server using the `netstat` command.
  2.  Identify suspicious IPs: It identifies any IP address with more than the allowed number of simultaneous connections.
  3. Block the IP Address: Once an IP exceeds the connection limit, DDoS Deflate uses `iptables` to block the IP, preventing further access to the server.
  4. Automatic Cleanup: The blocked IPs remain in the firewall rules for a set duration (default is one hour) and are automatically unblocked once the ban period ends.

By automating the detection and blocking process, DDoS Deflate helps protect against basic DDoS attacks with minimal server administrator intervention.

How to Install DDoS Deflate on a Linux Server

Prerequisites before installing: 

Before you begin installing DDoS Deflate, you’ll need:

  • A Linux server with root or sudo access.
  • Basic knowledge of Linux commands.
  • iptables installed on the server.

Step 1: Access Your Linux Server via SSH

To begin, you need to access your server using SSH. If you don’t already have SSH access to your server, you can connect using the following command:

ssh username@your-server-ip

Replace the username with your server’s username and your-server-iP with the IP address of your server.

Once you’re logged in, you’re ready to start installing DDoS Deflate.

Steps to Installation of DDoS Deflate

Step 2: Download and Install DDoS Deflate

The first step to install DDoS Deflate is to download the script from the official repository.

  • Download the DDoS Deflate script: Navigate to the /usr/local/src/ directory and download the script using the following commands:
cd /usr/local/src/
wget https://github.com/jgmdev/ddos-deflate/archive/master.zip
  • Unzip the DDoS Deflate archive: After downloading, unzip the package by running:
unzip master.zip

This will extract the contents of the zip file into the /usr/local/src/ddos-deflate-master directory.

  • Install the script: Navigate to the directory where the DDoS Deflate files have been extracted:
cd ddos-deflate-master

Then, run the install script by executing the following command:

./install.sh

This script installs DDoS Deflate and configures it to automatically block IP addresses that exceed the default connection limit.

Step 3: Configuring DDoS Deflate

Once DDoS Deflate is installed, you can configure its settings according to your requirements. By default, DDoS Deflate blocks any IP address that has more than 150 simultaneous connections to your server. You can modify this setting by editing the configuration file.

  • Open the configuration file for editing:
nano /usr/local/ddos/ddos.conf

Inside this configuration file, you’ll see options that you can customize based on your needs.

  • Adjust the connection threshold: One of the key settings to adjust is the number of allowed connections before an IP is blocked. For example, to change the limit to 100 connections, modify the NO_OF_CONNECTIONS parameter:
NO_OF_CONNECTIONS=100
  • Modify ban time: By default, DDoS Deflate blocks IPs for 3600 seconds (1 hour). If you want to modify the ban time, you can adjust the BAN_PERIOD parameter:
BAN_PERIOD=3600
  • Configure email notifications: If you want to receive email notifications when an IP is blocked, you can configure an email address in the EMAIL_TO setting:
EMAIL_TO="admin@yourdomain.com"
  • Replace admin@yourdomain.com with your actual email address. DDoS Deflate will send you an email each time an IP is blocked.
  • Save the configuration changes:
    After making the necessary changes, save the configuration file and exit the editor.
  • In nano, you can save by pressing Ctrl + O and then exit with Ctrl + X.

Step 4: Testing DDoS Deflate

To ensure that DDoS Deflate is working as expected, you can simulate a DDoS attack by creating a large number of connections from a specific IP and observing how the script reacts.

You can use a tool like Hping3 or a custom script to generate connections, then monitor the firewall rules with:

iptables -L -n

Look for the blocked IPs listed in the iptables rules.

Step 5: Managing DDoS Deflate

DDoS Deflate offers several commands to help manage blocked IP addresses and monitor the status of the script.

View the current list of blocked IPs: To view which IPs are currently blocked, run:

cat /usr/local/ddos/blocked.ips

1. This will show you a list of IP addresses that have been blocked for exceeding the connection limit.

    Manually unblock an IP address: If you need to unblock an IP address manually, you can do so by running:

    iptables -D INPUT -s <IP_ADDRESS> -j DROP

    2. Replace <IP_ADDRESS> with the IP you want to unblock.

      Restart DDoS Deflate: If you make changes to the configuration file and want to restart DDoS Deflate, use the following command:

      /usr/local/ddos/ddos.sh -c

      3. This command restarts the script and applies any configuration changes you made.

      Steps to Uninstalling DDoS Deflate

      If at any point you want to remove DDoS Deflate from your Linux server, the process is straightforward. You can uninstall the script with a few simple commands.

      Step 1: Run the Uninstall Script

      DDoS Deflate comes with an uninstall script that makes it easy to remove the software. To uninstall it, run the following command:

      /usr/local/ddos/uninstall.sh

      This will stop the DDoS Deflate service, remove the script, and delete all configuration files associated with it.

      Step 2: Verify Removal

      After uninstalling, it’s a good idea to verify that the script has been completely removed from your server. Check that the iptables rules have been cleared by running:

      iptables -L -n

      You should no longer see any rules blocking IP addresses based on the DDoS Deflate configuration. Additionally, you can ensure the installation directory has been removed:

      ls /usr/local/ddos/

      If the directory is still present, you can manually delete it:

      rm -rf /usr/local/ddos/

      Advantages and Limitations of DDoS Deflate

      Advantages of DDoS Deflate

      1. Lightweight and Easy to Install: DDoS Deflate is a simple shell script that requires minimal resources and can be quickly installed on a Linux server. It doesn’t consume much CPU or memory, making it ideal for small and medium-sized servers.

      2. Automated blocking: The script automatically monitors network connections and blocks IPs that exceed the configured connection limit, reducing manual intervention.

      3. Customizable Configuration: Administrators can easily configure settings such as the connection threshold, ban duration, and email notifications for blocked IPs, tailoring the script to specific needs.

      4. Compatibility with iptables: DDoS Deflate integrates with the built-in Linux firewall tool `iptables`, making it an efficient solution without the need for additional software.

      5. Low Maintenance: Once installed and configured, DDoS Deflate requires minimal maintenance and will continue to monitor connections and block offending IPs automatically.

      Limitations of DDoS Deflate

      1. Limited to Connection-Based Attacks: DDoS Deflate focuses solely on monitoring the number of connections, which means it might not detect or prevent other forms of DDoS attacks, such as volumetric attacks or layer 7 (application layer) attacks.

      2. Basic Protection: While it can handle small to moderate attacks, DDoS Deflate is not designed for large-scale DDoS attacks that may require more sophisticated defense mechanisms like load balancing or DDoS protection services.

      3. No Traffic Analysis: DDoS Deflate doesn’t analyze the nature or type of traffic coming from an IP address. Legitimate users with multiple connections might get blocked if they exceed the connection limit.

      4. Manual fine-tuning required: The default settings might not suit all environments. Server administrators need to manually adjust the connection limit and ban time, which could result in blocking too many or too few IPs if not properly configured.

      5. Lack of Support and Updates: DDoS Deflate is a community-driven tool that lacks formal support or frequent updates. As DDoS techniques evolve, it may not always keep up with the latest threats.

      DDoS Deflate offers a basic, low-cost solution for protecting Linux servers from small to moderate connection-based DDoS attacks but may not be sufficient for more complex or large-scale threats.

      Why Choose Us For DDoS Protection Service

      At SupportFly, we are dedicated to providing unparalleled DDoS protection that ensures your business remains secure, operational, and resilient against cyber threats.

      Proven Expertise

      With years of experience in the field of cybersecurity, our team of experts brings a wealth of knowledge and proven strategies to protect your business. We have successfully mitigated numerous DNS attacks, ensuring our clients’ services remain uninterrupted.

      Customized Solutions

      We understand that every business has unique security needs. Our DDoS protection service is tailored to fit your specific requirements, providing you with personalized solutions that effectively safeguard your digital assets.

      Advanced Technology

      We utilize the latest in cybersecurity technology to stay ahead of evolving threats. Our state-of-the-art systems are designed to detect, analyze, and mitigate DDoS attacks in real time, ensuring your services are always protected.

      24/7 Support

      Cyber threats can strike at any time, which is why we offer round-the-clock support. Our dedicated team is always available to assist, monitor your systems, and respond to any incidents, ensuring your peace of mind.

      Scalability and Flexibility

      As your business grows, so do your security needs. Our DDoS protection service is scalable and flexible, adapting to your changing requirements and providing robust protection regardless of the size of your infrastructure.

      Cost-Effective Solutions

      We offer cost-effective DDoS protection that doesn’t compromise on quality. Our competitive pricing ensures that you receive top-tier security without breaking the bank, making it a smart investment for your business.

      Conclusion

      DDoS assaults can significantly affect the availability and functionality of servers, particularly those that host websites and provide services that require continuous uptime. To defend against these attacks, installing DDoS Deflate on a Linux server is a simple and efficient solution. To help avoid system overloads and outages, it enables you to immediately block suspect IP addresses that are over a connection threshold. 

      Maintaining regular configuration adjustments and monitoring will guarantee that your server is always well-defended against prospective attacks. DDoS Deflate can assist in protecting your infrastructure from undesired traffic and attacks, regardless of the size of your application or website.To install, configure, and uninstall DDoS Deflate on your Linux server, follow these steps mentioned in the blog. For further assistance, connect with team SupportFly.