#!/bin/bash
# dayid@dayid.org
# revised/latest always available at http://linux.dayid.org/scripts/ddos.sh
# Feel free to modify/distribute/destroy/mate with this script.
# A rather brute, terrible way to deal with IP's that have connections to a server in the range  
# of 50-999 concurrent connections. Simple, but efficient.
#
# Please read this before running it. I am not liable, blah blah blah.
# This is simple bash and if you need to understand it more, run each line manually yourself.
pwd=`pwd`
clear
echo "Yehaw! We're going to round up some outlaws and ban their asses!"
cd /root/
echo ""
echo "Get ready - here we go!"
echo ""
netstat -an | awk '{ print $5 }' | cut -d ":" -f 1 | grep -v [a-zA-Z] | sort | uniq -c | sort -n > /root/ddos.file
grep "^     [5-9]" /root/ddos.file >> /root/ddos.bans
grep "^    [1-9]" /root/ddos.file >> /root/ddos.bans
grep -v "0.0.0.0" /root/ddos.bans > /root/ddos.bans2
grep -v 127.0.0.1 /root/ddos.bans2 > /root/ddos.bans
mv -f /root/ddos.bans /root/ddos.bans2
for goodIP in `ifconfig | grep inet | awk '{ print $2 }' | cut -d ":" -f "2"`; do
 grep -v $goodIP /root/ddos.bans2 > /root/ddos.bans
 mv /root/ddos.bans /root/ddos.bans2
done
for goodIP in `cat /etc/resolv.conf | awk '{ print $2 }' | grep [0-9]`; do
 grep -v $goodIP /root/ddos.bans2 > /root/ddos.bans
 mv /root/ddos.bans /root/ddos.bans2
done
mv -f /root/ddos.bans2 /root/ddos.bans
grep -v STREAM /root/ddos.bans > /root/ddos.bans2
grep -v [a-zA-Z] /root/ddos.bans2 > /root/ddos.bans
mv -f /root/ddos.bans2 /root/ddos.bans
for stupidIP in `cat /root/ddos.bans | awk '{ print $2 }'`; do
count=`iptables -nL | grep $stupidIP | wc -l | awk '{ print $1 }'`
 if [ $count -gt 0 ]
  then 
   echo "Oooh, I smell something funny... I think I might have a lamer!"
   echo "Aww, that stinks! We'd already caught ${stupidIP}!"
  else
   iptables -I INPUT -j DROP -s $stupidIP
   iptables -I OUTPUT -j DROP -d $stupidIP
   echo "Oooh, I smell something funny... I think I might have a lamer!"
   echo "ALL:${stupidIP}" >> /etc/hosts.deny
   echo "Banned: ${stupidIP}" >> /var/log/ddos.runtimes.log
   echo "Woo! Got another! We're banning $stupidIP for being extraordinarily STUPID!"
 fi
done
echo ""
echo "Man! That was fun! Let's do it again sometime!"
rm -f /root/ddos.bans2
rm -f /root/ddos.file
rm -f /root/ddos.bans
# For larger attacks, uncomment the next two lines, and comment out "rm -f /root/ddos.sh"
# sleep 300
# bash ddos.sh
rm -f ${pwd}/ddos.sh
touch /var/log/ddos.runtimes.log
count=`wc -l /var/log/ddos.runtimes.log | awk '{ print $1 }'`
if [ $count -gt 150 ]
 then tail -n 50 /var/log/ddos.runtimes.log > /var/log/ddos.tmp
      mv /var/log/ddos.tmp /var/log/ddos.runtimes.log
fi
date >> /var/log/ddos.runtimes.log
sort /etc/hosts.deny | uniq > /etc/hosts.deny.uniq
mv /etc/hosts.deny.uniq /etc/hosts.deny