[Tutorial] Blocking Dos/DDos Attacks on a Linux Server
Well I thought this should have been in the web development section, since ddos attacks are more common on websites, but then again this seems like the correct section. So anyways if you as admin or victim and have a shell access to the server that is being DDOSED, here are some commands that you can type into the ssh window to check where the attacks are coming from.
First login to the ssh client, for admins you can try putty or the cpanel.
After you logged in type in the following command
Code:
netstat -atun | awk '{print $5}' | cut -d: -f1 | sed -e '/^$/d' |sort | uniq -c | sort -n
This will give you a list of IPs and the number of connections, that are connected to the server.
For example:
1 58.9.3.43
3 66.33.23.20
3 24.95.74.2
8 64.80.4.15
15 4.20.44.2
90 59.45.2.10
The connections may vary depending on the traffic but if the connections from an ip are more than 1-30 there is a HIGH chance its an attack from that ip.
In this case 90 is the number of connections and 59.45.2.10 is the attacker IP
Here is another command that can show you number of connections with SYN packets.
Code:
netstat -n | grep :80 | grep SYN |wc
The output of this command shouldn't be more than 100 in an average case. More than 500 is a DDOS attack.
Blocking the attacking IPs
Now that we know the bad ips. We use iptables to block them.
Code:
iptables -A INPUT -s 59.45.2.10 -j DROP
Replace 59.45.2.10 with any ip address to be blocked.
To block IP on a specific port, type
Code:
iptables -A INPUT -p tcp -s 59.45.2.10 --dport 80 -j DROP
This will prevent 59.45.2.10 from connecting to port 80 which is the http port. You can use 21 for ftp, smtp etc etc...
Now we save this into the iptables
Code:
service iptables save
Then we restart the service.
Code:
service iptables restart
Unblocking the IPs
Lets say you block an ip by mistake. Now you need to unblock it.
Use the following two commands
Code:
iptables -D INPUT -p all -s 59.45.2.10 -j DROP
Code:
iptables -D OUTPUT -p all -s 59.45.2.10 -j DROP
replace 59.45.2.10 without your desired ip address to unban.
Again save and restart the iptables service.
Code:
service iptables save
Code:
service iptables restart
Another way which I haven't tried is installing ddosdeflate which does the work for you.
Code:
wget http://www.inetbase.com/scripts/ddos/install.sh
chmod 0700 install.sh
./install.sh
You can do this to prevent DDOSers or atleast reduce their connections.