Flying-Frog is a script that monitors connections and application sessions in order to support application level DDoS defense. Especially request delaying / slowloris type / connection starvation attacks.
Flying-Frog is a ruby script with the following features:
- Monitor TCP connections
- Check the number of connections from an individual source IP
- Run GeoIP on client IPs
- Watch application logs and identify authenticated sessions and thus authenticated client IPs
- Report client IPs exceeding connection limits; ready to ban client IP via fail2ban
- Configurable limits are: number of connections per client, duration of individual connection
- Limits can be adjusted for server ports, client GeoIP origin, authenticated or not.
In the real world, this allows you to shut out slowloris and friends with tight limits, but allow your local clients and clients with successful logins to profit from wider limits.
Here is the script, ready for download:
flying-frog.rb – the script
flying-frog.conf – example config file
netnea.com provides this script as is. No warranty is included.