Please be aware! It's first beta realease of tool!
We sniff and parse all incoming http requests. If any IP made more than XX requests per second (with same host, method and URI) we will trigger ipset ban immediately.
Compatibility: only Linux, Debian 7+, CentOS 6+
You could override standard hash algorithm with follofing line on code:
std::string hash_key = client_ip + ":" + host_string + ":" + method_string + ":" + path_string
Install FastNetMon (it will build and install all required libs):
Install dependency of Flood Shield:
# Debian
apt-get install -y ipset libipset-dev libipset2
For CentOS 6 you should build ipset from sources:
yum install -y libmnl-devel
cd /usr/src
tar -xf ipset-6.24.tar.bz2
cd ipset-6.24
./configure --prefix=/opt/ipset --with-kmod=no
make install
echo "/opt/ipset/lib" > /etc/
Build Flood Shield:
cd /usr/src
git clone
cd flood_shield
Create ipset and iptables rules:
# Debian
ipset --create blacklist iphash --hashsize 4096
# CentOS 6:
/opt/ipset/sbin/ipset --create blacklist iphash --hashsize 4096
iptables -I INPUT -m set --match-set blacklist src -p TCP --destination-port 80 -j DROP
Run it:
By default we will ban any IP which exceed 20 requests per second with same HOST, METHOD and URI. If you want to change it, please fix in code and recompile. We sniff only 80 port by default.
- Kazuho Oku, Tokuhiro Matsuno, Daisuke Murase, Shigeo Mitsunari for a perfect and fast http packet parser
- PF_RING team for a nice facility for capturing packets