5kits zhao

DDos attack

DOS Attack (Denial Of Service)

By the name alone, we know what this means: denial of services like httpd, exim, ftp, etc. Mostly we deal with DOS attacks on Apache services, which causes sites to slow down or not load at all.

A DOS attack means high connections from certain an IP address or IPs. We can easily find the high-connection IP using the ‘netstat’ command and block those IP’s using firewalls.

The command for listing IPs and number of connections is:

 netstat -plan |grep :80|awk '{print $5}' |cut -d: -f1 |sort |uniq -c |sort -n

The command for finding the total connections is:

 netstat -plan |grep :80 |wc -l

If you do find any IP address having excessive connections (more than 50), then you have to block it either by using iptables, APF, or CSF.

Using iptables, you can block an IP by issuing the command:

iptables -A  INPUT -s  --dport 80 -p tcp -j DROP
/etc/rc.d/init.d/iptables save

Using APF, this command is used:

apf -d IP

Using CSF:

csf -d IP

DDOS is distributed denial of service, which is an advanced DOS attack. The number of connections from an indvidual IP might be low, but the connections will be from many IPs or range of IPs.

Most of times attack will be concentrated to one domain. In such cases kill the dns of domain to reduce the attack.

Preventive measures for DDOS attacks include:

  • Install firewalls like APF or CSF and configure them to block the high connection IPs.
  • Install mod_dosevasive module (only during the DOS attack)

Conclusion

As we all know, “prevention is better than cure,” so always take necessary preventive measures and keep auditing and monitoring your servers.

  • Install  System Integrity Monitor (SIM) or CSF and configure it to get alerts on load spikes.
  • Update your old and vulnerable software.
  • Take the necessary preventive measures to avoid load spiking.
  • Secure your servers and tweak your software like apache, exim, etc for better performanc

Leave a Reply