yuki-antiddos is no longer maintained.
- This script had its time, but it's old and buggy
- nftables behaves differently across systems, which made things tricky
- But don’t worry! A shiny new project has arrived: yukiwall (github.com/mintyYuki/yukiwall) ✨
yukiwall is super fresh, works perfectly, minimal bugs, and is slowly taking over. Everything's neat, clean, and modern - basically the upgrade you've been waiting for! <3
This project is kept only for reference and historical purposes 🌸
yuki-antiddos is a lightweight L3–L4 anti-DDoS ruleset built on top of nftables and Linux kernel tuning.
It is designed to mitigate CPU-exhausting network attacks with:
- minimal overhead
- kernel-level filtering
- no userspace packet processing
This project targets environments where:
- bandwidth is not the main bottleneck
- CPU exhaustion is the real problem
- provider-side DDoS protection is insufficient
Works on:
- servers
- desktops & laptops (including hostile public networks)
- routers (with minor manual adjustments)
This project was born out of necessity.
A production server was targeted with advanced L3–L4 attacks.
The hosting provider claimed to have DDoS protection — and technically, they did.
However:
- it only covered attacks that saturated bandwidth
- it did not protect against attacks designed to overload CPU
No hosting provider used at the time offered protection against the specific attack patterns being used.
Existing public rulesets:
- were inefficient
- caused unnecessary CPU load
- or failed under real attack conditions
So the decision was made to write a custom ruleset focused specifically on CPU-bound attack mitigation.
The result provided full coverage for the observed attack vectors.
Since there were no solid ready-made solutions at the time, this project was later shared publicly.
- UDP floods
- SYN floods
- Reflection & amplification attacks
- Spoofed traffic
- High PPS junk traffic at L3–L4
- L7 / application-layer attacks
- Slowloris-style attacks
- Abuse of valid application logic
- Attacks hidden behind TLS
- Payload-level inspection attacks
This ruleset is optimized primarily for minimal CPU usage under high packet rates.
Core principles:
- early packet drops
- short rule traversal paths
- avoiding expensive matches in hot chains
- no logging at all
The goal is not to analyze traffic, but to reject garbage as early and cheaply as possible.
As a result, the ruleset remains effective under large PPS floods while keeping CPU usage stable.
- 🧬 Split-Chain Architecture
- 🛑 Drop Policy
- 📶 Stateful 2-Stage UDP rate limiting
- 🛡️ Sysctl Hardening
- 🔄 Easy Updates
⚠️ This will removeufw,firewalld, and their configs.
sudo apt update \
&& sudo apt purge ufw firewalld -y \
&& sudo apt install nftables git bc iproute2 -y \
&& git clone https://github.com/mintyYuki/antiddos \
&& cd antiddos \
&& sudo bash antiddos-yuki| Distribution | Status |
|---|---|
| Ubuntu 24.04+ | ✅ Fully supported, recommended |
| Ubuntu < 24.04 | |
| Debian 12+ | 🟡 Partially supported |
| Other distros | ❌ Not supported |
- nftables — packet filtering backend
- git — repository cloning
- bc, iproute2 — script utilities
Updating is straightforward:
- pull the latest changes from Git
- re-run the installation script
The ruleset is designed to be easily re-applied without restarting the network or the system.
Rollback mechanisms are currently limited. Always test updates on non-critical systems first.
On some systems, nftables rules may not survive reboot due to service behavior. This is not critical but may require a custom workaround.
There are no automated tests. Most testing happens on real servers under real workloads.
Automatic rollback is incomplete. In rare edge cases, SSH access may break without proper rollback.
Oracle Cloud heavily relies on preconfigured iptables rules. This script wipes existing rules and may break networking. Not supported.
Not supported.