First let me say that the guys over at Media Layer did a great job with (D)DoS-Deflate.

We installed the utility by following their installation instructions on the above linked page. We made on modification to the script by lowering the number of connections allowed to 50 thinking it would be acceptable for normal traffic. Shortly after, we were locked out of our own server… duh. After rebooting our DSL modem to get a new IP address, we quickly logged in and reverted to the suggested count of 150. From our experience, take the advice of the team that wrote the script 😉

The notification emails starting coming through letting us know when IP addresses were being blocked because they had more than 150 connections to our server at one time. After which we noticed the script was reporting the connection count as both the count and IP address.

We contacted ML about the reported data and they said it was just a cosmetic issue. Well, cosmetic or not it did not report the data as it was intended to so we decided to tinker around with the code.

Here’s what we did to fix the problem so now the ip address and number of connections reported display as they were expected to.

#CURR_LINE_CONN=$(echo $line | cut -d" " -f1)
CURR_LINE_CONN=$(echo $line | sed -e 's/^ *//' | cut -d" " -f1)
#CURR_LINE_IP=$(echo $line | cut -d" " -f2)
CURR_LINE_IP=$(echo $line | sed -e 's/^ *//' | cut -d" " -f2)

Our output of the netstat command (netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -nr) had leading spaces that the original script did not interpret properly. So we added a sed command (sed -e ‘s/^ *//’) to trim the unwanted whitespace before the cut command was used.

Note: This solution was implemented on a Red Hat Enterprise Linux 4 box running a Plesk 8.x control panel.