Hold Tight...

0 %
avatar
Warith AL Maawali
Driving cybersecurity excellence
Innovator behind Linux Kodachi
  • Residence:
    ::0
  • Uptime Binary:
    101110
  • Mantra:
    Innovate, Secure, Repeat
ONS
EEDS
NSSG
Cybersecurity
Programming & R&D
Cryptocurrency
AI & Vibe coding
  • Bash
  • Gambas
  • Delphi
  • PHP
  • Visual basic
  • Rust
Download cv

My Valentine’s Gift Was a Subnet DDoS

15/02/2026
My Valentine’s Gift Was a Subnet DDoS

Valentine’s Day DDoS: The “Gift” That Tried to Take digi77.com Down

February 14, 2026 — Battle-Tested Defense Against Subnet-Rotating Botnets

On February 14, 2026, it looked like someone wanted to give me a Valentine’s gift.

They did — just not the kind you want.

Early that morning, my digi77.com server got slammed with a DDoS that wasn’t the usual “a thousand infected PCs from all over the world.”
I’m talking about entire subnets showing up like waves.

The timing was also… interesting. It happened two days after I announced that Kodachi supports built-in AI capabilities. Coincidence or not, the goal was clearly to knock the server offline.

What made it worse is that this wasn’t “obviously bad” traffic. A lot of it looked valid:

  • normal TCP handshakes
  • valid packets
  • normal-looking HTTP behavior (just at insane volume)

That’s exactly why CSF struggled. Not because CSF is “bad,” but because when the flood is made of normal-looking traffic, it’s harder to separate signal from noise fast enough. And once your server is chewing through endless valid connections, your CPU and connection tracking become the target.

My CPU hit 100% and stayed there. Services started choking.

So I did what I always do when the internet doesn’t have the tool I need:

I wrote my own Bash solution.

And guess what?

It worked.

It blocked 100% of the waves I observed during the incident — thousands at a time. Then thousands more would appear from a different region, and the script just kept handling it. I’m still under attack while writing this post, which is exactly why I’m writing it.

Why This Matters (And Why “Just Block It Upstream” Isn’t Always Simple)

I searched for tools and guides that can handle this kind of attack pattern the way I needed it handled.

I could not find a tool on the net that does this

— especially not something that:

  • reacts in real time,
  • escalates from IPs to subnets automatically,
  • survives massive rotation,
  • and keeps the server usable while under pressure.

I even asked GPT for advice, and the response (paraphrased) was basically:

  • “If packets reach Linux, there isn’t much you can do about it.”
  • “It must be blocked at the provider level.”
  • “And if the packets are legitimate, how will you block them upstream?”

That’s not wrong in a scenario where the attacker saturates your uplink before the traffic even reaches you.

But many real-world attacks (including what I saw) aren’t only about filling bandwidth — they’re about melting your CPU, exhausting conntrack, draining worker threads, and keeping you too busy to respond.

So I built a script with a single job:

Keep the server online during a rotating subnet DDoS — automatically.

Key Features (What the Script Does)

  1. Subnet-level blocking (CIDR escalation)
    Stops “whack-a-mole” IP rotation by promoting bans from single IPs to /24, /20, or other ranges when subnet abuse is detected.
  2. Real-time offender ranking
    Continuously detects top talkers (by connections and/or request sources) and reacts within seconds.
  3. Built for “legit packet” floods
    Works when packets are valid and classic “bad packet” filtering fails — because the attack looks normal until you measure volume and patterns.
  4. Load-aware defense mode
    Tightens thresholds automatically when CPU/load spikes, prioritizing uptime over perfect analytics.
  5. Fast firewall application strategy
    Blocks in a way that avoids firewall self-DoS (batched updates and efficient rule structures).
  6. Rotation-resistant logic
    Handles attackers constantly swapping regions, ranges, and subnets — blocks thousands, then blocks thousands more without manual babysitting.
  7. Whitelist & safety rails
    Protects admin IPs, monitoring, and trusted services from accidental lockouts.
  8. Attack intelligence output
    Reveals what the attacker is doing: burst timing, concentration by range, and how sources shift over time.
  9. Rule hygiene (cleanup/expiry)
    Avoids infinite rule growth by expiring or rotating temporary blocks safely.
  10. “Stay online” priority
    The main goal is not pretty graphs — it’s keeping your machine responsive while the storm is happening.

How It Works (High-Level, With Safe Snippets)

I’m not publishing the full script here, but I can share safe snippets that explain the approach without exposing the private logic that makes it effective.

1) Watch system pressure (load + connection counts)

Bash System Threat Detection 
# Multi-vector threat detection engine
# Monitors 5+ attack signals simultaneously:
#
#   → CPU load average (detects resource exhaustion)
#   → SYN-RECV flood count (half-open connection attacks)
#   → ESTABLISHED connection saturation
#   → UDP amplification indicators
#   → Connection rate acceleration
#
# When ANY signal exceeds its adaptive threshold,
# the script shifts into aggressive mitigation mode.
#
# Thresholds auto-adjust based on server capacity
# and current baseline — not static values.

check_system_threat() {
    # [5 independent detection vectors evaluated here]
    # Each vector has its own adaptive threshold logic
    # Returns threat level: CLEAR / ELEVATED / CRITICAL
    ...
}

When the numbers spike beyond safe thresholds, the script shifts into aggressive mitigation mode.

2) Identify abusive sources by volume

Bash Real-Time Offender Ranking 
# Real-time offender ranking engine
# Correlates MULTIPLE data sources to identify attackers:
#
#   → Active connection concentration (per-IP)
#   → Half-open connection patterns (SYN flood signature)
#   → Request rate vs. baseline deviation
#   → Subnet clustering (are IPs from the same /24?)
#   → Hosting provider vs. residential classification
#
# Output: ranked list of offenders with confidence scores
# Top offenders are processed for blocking decisions

rank_offenders() {
    # [Multi-source correlation engine]
    # Not just "who has the most connections"
    # but "who deviates most from normal behavior"
    ...
}

3) Escalate from IP blocking to subnet blocking

Bash VPN Protection + Hosting Provider Detection 
# Intelligent false-positive prevention
#
# The script maintains a classification engine that
# distinguishes between:
#
#   ✓ Legitimate VPN providers (20+ services recognized)
#   ✓ Known CDN and cloud infrastructure
#   ✓ Residential ISPs with normal traffic patterns
#   ✗ Hosting providers being used as botnet sources
#   ✗ Subnets with abnormal connection density
#
# Blocking decisions use DYNAMIC thresholds —
# not a single hardcoded number, but adaptive logic
# that considers the source type, connection pattern,
# and current attack intensity.

classify_and_decide() {
    # [Classification + adaptive threshold engine]
    ...
}

4) Apply blocks efficiently (repeat offender tracking)

Bash Temp-to-Permanent Escalation System 
# Behavioral escalation system
#
# All blocks start as TEMPORARY (configurable duration).
# The system tracks every blocked source and builds
# a behavioral profile over time:
#
#   Stage 1: Temp block → auto-expires
#   Stage 2: Repeat detection → longer duration
#   Stage 3: Persistent offender → permanent + CSF deny
#
# Each stage includes:
#   → Country and provider enrichment
#   → Attack pattern classification
#   → Subnet correlation analysis
#   → Timestamp-based repeat window tracking
#
# This prevents permanent blocking of one-time scanners
# while ensuring real attackers can't just wait it out.

escalation_engine() {
    # [Multi-stage behavioral tracking system]
    # Tracks history, enriches with GeoIP, escalates
    # based on repeat frequency within time windows
    ...
}

5) Keep the ruleset clean while the attack evolves

Bash Batch GeoIP Enrichment 
# Attack intelligence and GeoIP enrichment
#
# Every blocked source is enriched with:
#   → Country of origin
#   → Hosting provider / ISP name
#   → VPN/proxy/datacenter classification
#   → Historical offense count
#
# Enrichment runs in parallel batches for speed
# (doesn't slow down blocking during active attacks).
#
# Intelligence output reveals:
#   → Which countries the attack originates from
#   → Which hosting providers are most abused
#   → How the attacker rotates across regions
#   → Burst timing and wave patterns

# Real output from this incident (Feb 14, 2026):
# ┌──────────────────┬───────┬────────┬────────┐
#  │ Country          │ Hits  │   IPs  │ % Hits │
# ├──────────────────┼───────┼────────┼────────┤
# │ France           │ 495x  │   176  │ 45.9%  │
# │ Germany          │ 164x  │    64  │ 15.2%  │
# │ USA              │ 120x  │    85  │ 11.1%  │
# │ Russia           │  22x  │    12  │  2.0%  │
# │ Singapore        │  21x  │    21  │  1.9%  │
# │ Netherlands      │  14x  │     8  │  1.2%  │
# │ Poland           │  13x  │     9  │  1.2%  │
# │ Switzerland      │  13x  │     8  │  1.2%  │
# │ Japan            │  13x  │     8  │  1.2%  │
# │ United Kingdom   │  13x  │     4  │  1.2%  │
# └──────────────────┴───────┴────────┴────────┘

Live Attack Intelligence (from this incident)

The script’s repeat-offender tracker produced this data during the active attack:

495

Total Blocked

195

Permanent Bans

47

Countries

134

Providers

# Country Hits IPs %
1 France 495x 176 45.9%
2 Germany 164x 64 15.2%
3 USA 120x 85 11.1%
4 Russia 22x 12 2.0%
5 Singapore 21x 21 1.9%
6 Netherlands 14x 8 1.2%
7 Poland 13x 9 1.2%
8 Switzerland 13x 8 1.2%

The dominant provider across France and Germany: Contabo — accounting for 56.9% of all block hits across 221 IPs. A single hosting provider used as a botnet launchpad.

# Country / Provider Hits IPs
1 France / Contabo 472x 167
2 Germany / Contabo 141x 53
3 USA / spectrum.com 10x 8
4 Japan / ad.jp 8x 6
5 USA / amazonbot.amazon 6x 6

Escalation stats: 60.6% of entries are still temporary (below 3x threshold) — 39.3% were promoted to permanent blocks after repeated offenses. GeoIP enrichment resolved 480 of 495 entries across 47 countries and 134 providers.

Quick Start (When You Have the Script)

The script supports comprehensive command categories for monitoring, blocking, and automating DDoS defense. Here’s everything you can do:

Diagnostics & Monitoring

Bash Status & Monitoring Commands 
# Quick status check
./ddos-detect.sh --status

# Full diagnostic scan with all attack vectors
./ddos-detect.sh --diagnose

# Continuous monitoring (refresh every N seconds)
./ddos-detect.sh --watch 5

# Watch mode with auto-ban and logging
./ddos-detect.sh --watch 10 --ban --log /var/log/ddos-detect.log

# JSON output for monitoring integration (Netdata/Prometheus)
./ddos-detect.sh --json

Banning (nftables)

Bash nftables Ban Management 
# Auto-ban attackers exceeding threshold
./ddos-detect.sh --ban --threshold 100

# List currently banned IPs
./ddos-detect.sh --list-bans

# Unban specific IP
./ddos-detect.sh --unban 1.2.3.4

CSF Blocking (temp-first strategy)

Bash CSF Firewall Integration 
# Preview CSF blocks without applying (dry-run)
./ddos-detect.sh --apply-csf --dry-run

# Auto-apply all CSF blocks (temp first, permanent after 3x repeat)
./ddos-detect.sh --apply-csf

# Apply with longer temp ban duration (default 3600s = 1 hour)
./ddos-detect.sh --apply-csf --duration 86400

Repeat Offender Tracking

Bash Offender Intelligence 
# Show repeat offender tracking data (temp vs permanent stats)
./ddos-detect.sh --show-offenders

# Enrich missing entries with country/provider data
./ddos-detect.sh --enrich-offenders

# Re-enrich ALL entries from scratch (full rebuild)
./ddos-detect.sh --rebuild-offenders

Cron Automation

Bash Automated Defense 
# Install cron (every 15 min, auto-blocks when under attack)
./ddos-detect.sh --install-cron

# Custom: every 5 min, load threshold 8
./ddos-detect.sh --install-cron --cron-interval 5 --load-threshold 8

# Remove cron
./ddos-detect.sh --remove-cron

Setup

Bash Dependency Management 
# Check all dependencies and offer to install missing ones
./ddos-detect.sh --check-deps

Parameter Reference

Flag Description
–status Quick system status overview
–diagnose Full diagnostic scan across all attack vectors
–watch N Continuous monitoring, refreshes every N seconds
–ban Enable auto-ban for IPs exceeding threshold
–threshold N Connection count threshold for banning (default: 50)
–list-bans Show currently banned IPs
–unban IP Remove ban for specific IP
–apply-csf Apply blocks via CSF firewall
–dry-run Preview blocks without applying
–duration N Temp ban duration in seconds (default: 3600)
–show-offenders Display repeat offender tracking data
–enrich-offenders Enrich missing country/provider data
–rebuild-offenders Re-enrich all entries from scratch
–install-cron Install automatic cron job
–remove-cron Remove cron job
–cron-interval N Cron check interval in minutes (default: 15)
–load-threshold N Load average threshold for cron mode (default: 10)
–json JSON output for monitoring integration
–log FILE Log output to specified file
–check-deps Check and install missing dependencies

Operational tips:

  • Run it in screen or tmux
  • Make sure you have fallback access (console, IPMI, alternate admin route)
  • Configure whitelist before enabling aggressive blocking
  • Pair with upstream/CDN mitigation when possible (best of both worlds)

What You Gain

  • Uptime during real incidents
  • Subnet-grade defense against rotating bot swarms
  • Reduced manual firefighting
  • Better visibility into the attacker’s behavior
  • A practical tool when “block upstream” is not instantly available

Important reality check:

If your uplink is fully saturated upstream, local tools can’t beat physics — provider-level filtering is often required.

But if the attack is designed to melt your server resources using valid traffic (CPU/conntrack/workers), local mitigation can keep you alive — and it did.

Conclusion

On Feb 14, 2026, I got a Valentine’s “gift” I didn’t want: a subnet-heavy DDoS aimed at taking digi77.com offline — suspiciously timed two days after I announced Kodachi’s built-in AI capabilities.

I searched for an existing solution. I couldn’t find a tool online that did what I needed.

I asked GPT, and the answer was essentially: “If packets reach Linux, there isn’t much you can do — block it at provider level… but good luck if it’s legit traffic.”

So I wrote my own Bash solution.

It blocked 100% of the botnets I saw — thousands at a time, then thousands more from different regions — and kept the server online.

Get the Script (Support Kodachi)

I’ve released plenty of free scripts and sources before — 100+ over time. This one is different: it’s battle-tested under a real attack, and it’s not something you’ll easily find “ready-made” on the net.

If you want it, support the Kodachi project with a $30 donation and I’ll send you the complete solution as a thank-you — 4,000+ lines of battle-tested code.

To the attackers:

My server is still up.

Try harder. 😄

Posted in Deep Tech by Warith Al MaawaliTags:
Previous
All posts
© Warith AL Maawali. All Rights Reserved.
Stay Secure, Stay Assured.