#!/bin/bash
netstat -an|grep SYN_RECV|awk '{print$5}'|awk -F: '{print$1}'|sort|uniq -c|sort -rn|awk '{if ($1 >1)  print $2}'

for i in $(cat /tmp/dropip)
do
/sbin/iptables -A INPUT -s $i -j DROP
echo “$i kill at `date`” >>/var/log/ddos
done

#!/bin/bash
# use iptables deny malicious connect
while true
do
syn_ip=$(netstat -an|grep [0-9]|awk -F':|[ ]+' '{if($3 > 1000) print $6}')
        for i in `echo $syn_ip`
        do
               a=$(iptables -nL | grep $i)
               b=$(iptables -nL | grep DROP | wc -l )

                if [ "$a" == "" ]
                then
                   if [ "$b" -gt 7000 ]
                   then
                       iptables -D INPUT 1
                   fi
                     iptables -I INPUT -s $i -p tcp --dport 80 -j DROP
                     echo $i >> /opt/bad_ip.txt
               fi
        done
sleep 2
done