Posts

How to Verify & Block DDOS Attack in Linux

Introduction

A denial-of-service (DoS) attack is an attempt to make a machine or network resource unavailable to its intended users. They target a wide variety of important resources, from banks to news websites, and present a major challenge to making sure people can publish and access important information. A distributed denial-of-service (DDoS) is where incoming traffic comes from more than one – and often thousands – of unique IP’s, either from botnets or via various types of reflection attack.

Verify DDOS Attack

Show only active Internet connections to the server on port 80, this is the http port and so it’s useful if you have a web server, and sort the results. Useful in detecting a single flood by allowing you to recognize many connections coming from one IP.

# netstat -an | grep :80 | sort

List all the unique IP addresses of the node that are sending SYN_REC connection status.

# netstat -n -p | grep SYN_REC | awk '{print $5}' | awk -F: '{print $1}'

Use netstat command to calculate and count the number of connections each IP address makes to the server.

# netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

A lot of outbound bruteforces lately have been running as “/usr/bin/host”
If you run a “ps faux” look for any processes by that name, or any suspicious PHP processes (or other suspect processes forked off of httpd or php).

# ps faux

If you find them, “lsof -p $PID” will help you hunt it down.

# lsof -p $PID

Block an IP address using IPTABLES

In order to block an IP on your Linux server you need to use iptables tools and netfilter firewall. To block IP address you need to type iptables command as follows:

Step 1: Add IP Address in Firewall

# iptables -A INPUT -s xxx.xxx.xxx.xxx -j DROP

Step 2: Kill the apache sessions

# netstat -ant | awk '{print $6}' | sort | uniq -c | sort -n
# killall -KILL httpd

Step 3: Restart apache service

After killing the apache sessions restart the apache server.

For CentOS/RedHat/Fedora

# service httpd start

For Ubuntu/Debian/OpenSUSE

# /etc/init/d/apache2 restart