»Unlabelled » Blocking Dos/DDos Attacks on a Linux Server

Blocking Dos/DDos Attacks on a Linux Server

Well I thought this should have been in the web development section, since ddos attacks are more common on websites, but then again this seems like the correct section. So anyways if you as admin or victim and have a shell access to the server that is being DDOSED, here are some commands that you can type into the ssh window to check where the attacks are coming from.

First login to the ssh client, for admins you can try putty or the cpanel.
After you logged in type in the following command


netstat -atun | awk '{print $5}' | cut -d: -f1 | sed -e '/^$/d' |sort | uniq -c | sort -n

This will give you a list of IPs and the number of connections, that are connected to the server.

For example:
1 58.9.3.43
3 66.33.23.20
3 24.95.74.2
8 64.80.4.15
15 4.20.44.2
90 59.45.2.10

The connections may vary depending on the traffic but if the connections from an ip are more than 1-30 there is a HIGH chance its an attack from that ip.

In this case 90 is the number of connections and 59.45.2.10 is the attacker IP

Here is another command that can show you number of connections with SYN packets.

netstat -n | grep :80 | grep SYN |wc


The output of this command shouldn't be more than 100 in an average case. More than 500 is a DDOS attack.


Blocking the attacking IPs

Now that we know the bad ips. We use iptables to block them. 




iptables -A INPUT -s 59.45.2.10 -j DROP

Replace 59.45.2.10 with any ip address to be blocked.

To block IP on a specific port, type

iptables -A INPUT -p tcp -s 59.45.2.10 --dport 80 -j DROP
This will prevent 59.45.2.10 from connecting to port 80 which is the http port. You can use 21 for ftp, smtp etc etc...

Now we save this into the iptables 

service iptables save
Then we restart the service
service iptables restart
Unblocking the IPs

Lets say you block an ip by mistake. Now you need to unblock it.
Use the following two comman
iptables -D INPUT -p all -s 59.45.2.10  -j DROP
iptables -D OUTPUT -p all -s 59.45.2.10 -j DROP
replace 59.45.2.10 without your desired ip address to unban.

Again save and restart the iptables service.
service iptables save
service iptables restart
Another way which I haven't tried is installing ddosdeflate which does the work for you.
wget http://www.inetbase.com/scripts/ddos/install.sh
chmod 0700 install.sh
./install.sh
 You can do this to prevent DDOSers or atleast reduce their connections.

Written By bii

2 comments:

  1. AnonymousDecember 24, 2011 at 7:46 PM

    I get it clear idea about what is linux and how its working all the points get it through this blog.Most of the small and large business people prefer to like this kind of vaulable tips.web hosting

    ReplyDelete
  2. biiDecember 24, 2011 at 10:24 PM

    hmm, thanks for your suggestions.

    ReplyDelete

 

IP Address

IP

Followers

Be Huge © 2012 | Template By Be Huge