Loading repository data…
Loading repository data…
mintyYuki / repository
Simple script against most network threats.
yuki-antiddos is no longer maintained.
yukiwall is super fresh, works perfectly, minimal bugs, and is slowly taking over. Everything's neat, clean, and modern - basically the upgrade you've been waiting for! <3
This project is kept only for reference and historical purposes 🌸
yuki-antiddos is a lightweight L3–L4 anti-DDoS ruleset built on top of nftables and Linux kernel tuning.
It is designed to mitigate CPU-exhausting network attacks with:
This project targets environments where:
Works on:
This project was born out of necessity.
A production server was targeted with advanced L3–L4 attacks.
The hosting provider claimed to have DDoS protection — and technically, they did.
However:
No hosting provider used at the time offered protection against the specific attack patterns being used.
Existing public rulesets:
So the decision was made to write a custom ruleset focused specifically on CPU-bound attack mitigation.
The result provided full coverage for the observed attack vectors.
Since there were no solid ready-made solutions at the time, this project was later shared publicly.
This ruleset is optimized primarily for minimal CPU usage under high packet rates.
Core principles:
The goal is not to analyze traffic, but to reject garbage as early and cheaply as possible.
As a result, the ruleset remains effective under large PPS floods while keeping CPU usage stable.
⚠️ This will remove
ufw,firewalld, and their configs.
sudo apt update \
&& sudo apt purge ufw firewalld -y \
&& sudo apt install nftables git bc iproute2 -y \
&& git clone https://github.com/mintyYuki/antiddos \
&& cd antiddos \
&& sudo bash antiddos-yuki
| Distribution | Status |
|---|---|
| Ubuntu 24.04+ | ✅ Fully supported, recommended |
| Ubuntu < 24.04 | ⚠️ Not recommended |
| Debian 12+ | 🟡 Partially supported |
| Other distros | ❌ Not supported |
Updating is straightforward:
The ruleset is designed to be easily re-applied without restarting the network or the system.
Rollback mechanisms are currently limited. Always test updates on non-critical systems first.
On some systems, nftables rules may not survive reboot due to service behavior. This is not critical but may require a custom workaround.
There are no automated tests. Most testing happens on real servers under real workloads.
Automatic rollback is incomplete. In rare edge cases, SSH access may break without proper rollback.
Oracle Cloud heavily relies on preconfigured iptables rules. This script wipes existing rules and may break networking. Not supported.
Not supported.