baumi's blog

baumi's personal blog … Linux, OS X, Windows, Random things, …

26 07 2025

Mitigating DDoS attack: botnet imitating microsoft bingads, githubhelp.com, trustpilot clicks – Banned IP list

admin | News

On July 25, 2025 a Distributed-Denial-of-Service (DDoS) attack was launched against interssl.com, performed by a botnet. Current counter shows a total of 512030 different IPs accessing our server. The attackers simulated millions of fake campaign clicks from bingads and trustpilot company profile.

In case you are affected, here is the IP list to block the botnet using e.g. iptables

ALL IPs
Download ddosban_ips_all.txt (IPs only)
Download ddosban_ips_all_stats.txt (sorted, with statistics)

TOP 3000 IPs (based on access frequency)
Download ddosban_ips_top3000.txt (IPs only)
Download ddosban_ips_top3000_stats.txt (sorted, with statistics)

Last updated: 26.07.2025 21:15 CET

Block IPs using iptables / ipset
This simple script executes in about ~3 minutes:

#/bin/bash
IP_FILE="ddosban_ips_all.txt"

# Show total number of IPs
date ; wc -l $IP_FILE

# Create "ddos1" list
ipset create ddos1 hash:ip
iptables -A INPUT   -m set --match-set ddos1 src   -j LOG
iptables -A INPUT   -m set --match-set ddos1 src   -j DROP
ipset flush ddos1

# Block IPs
while read -r ip; do
    ipset -q -A ddos1 $ip
done < $IP_FILE

ipset list ddos1 | grep "Number of entries:" -B 100

Block IPs using "ipset restore" (performance optimized)
This script executes in about ~20 seconds:

#!/bin/bash
IP_FILE="ddosban_ips_all.txt"
SETNAME="ddos3"

# Show total number of IPs
date ; wc -l $IP_FILE

# Create ipset
if ! ipset list $SETNAME >/dev/null 2>&1; then
  ipset create $SETNAME hash:ip family inet hashsize 131072 maxelem 1048576
fi
ipset flush $SETNAME

# Create tempfile for "ipset restore"
TMP_FILE=$(mktemp)
while read -r ip; do
    [[ -n "$ip" ]] && echo "add $SETNAME $ip" >> $TMP_FILE
done < $IP_FILE

# Execute ipset restore
ipset restore < $TMP_FILE ; rm $TMP_FILE

# Important: iptables needs to run *AFTER* "ipset restore" to ban IPs
# Thus running -D -A instead of -C -A, to make sure all IPs are banned
# in case script is executed repeatedly with growing IP lists
iptables -D INPUT -m set --match-set $SETNAME src -j LOG 2>/dev/null
iptables -A INPUT -m set --match-set $SETNAME src -j LOG

iptables -D INPUT -m set --match-set $SETNAME src -j DROP 2>/dev/null
iptables -A INPUT -m set --match-set $SETNAME src -j DROP

ipset list $SETNAME | grep "Number of entries:" -B 100

Comments are currently closed.