How to Verify & Block DDOS Attack in Linux
Introduction
A denial-of-service (DoS) attack is an attempt to make a machine or network resource unavailable to its intended users. They target a wide variety of important resources, from banks to news websites, and present a major challenge to making sure people can publish and access important information. A distributed denial-of-service (DDoS) is where incoming traffic comes from more than one – and often thousands – of unique IP’s, either from botnets or via various types of reflection attack.
Verify DDOS Attack
Show only active Internet connections to the server on port 80, this is the http port and so it’s useful if you have a web server, and sort the results. Useful in detecting a single flood by allowing you to recognize many connections coming from one IP.
# netstat -an | grep :80 | sort
List all the unique IP addresses of the node that are sending SYN_REC connection status.
# netstat -n -p | grep SYN_REC | awk '{print $5}' | awk -F: '{print $1}'
Use netstat command to calculate and count the number of connections each IP address makes to the server.
# netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
A lot of outbound bruteforces lately have been running as “/usr/bin/host”
If you run a “ps faux” look for any processes by that name, or any suspicious PHP processes (or other suspect processes forked off of httpd or php).
# ps faux
If you find them, “lsof -p $PID” will help you hunt it down.
# lsof -p $PID
Block an IP address using IPTABLES
In order to block an IP on your Linux server you need to use iptables tools and netfilter firewall. To block IP address you need to type iptables command as follows:
Step 1: Add IP Address in Firewall
# iptables -A INPUT -s xxx.xxx.xxx.xxx -j DROP
Step 2: Kill the apache sessions
# netstat -ant | awk '{print $6}' | sort | uniq -c | sort -n
# killall -KILL httpd
Step 3: Restart apache service
After killing the apache sessions restart the apache server.
For CentOS/RedHat/Fedora
# service httpd start
For Ubuntu/Debian/OpenSUSE
# /etc/init/d/apache2 restart
Leave a Reply
Want to join the discussion?Feel free to contribute!