RSS

DDOS Attack

29 Sep

A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a computer resource unavailable to its intended users.

Commands to check the DDOS:

====================================

Check the  process ID of  httpd by following command

pidof httpd

then,fire this command

netstat -anp |grep ‘tcp\|udp’ | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n

The above command will show a list of  IP’s with there connections then,Check which IP is causing it and then block it.

Then check which databases are utilized more by following command:

mysqladmin pr

====================================

These are some important steps to fight against the DDOS.

+++++++++++++++++++++++++++++++++++++

Additionally More Accurate Way to stop DDOS is as Follows:

++++++++++++++++++++++++++++++++++++++

For minimizing DDOS attach do follwing Tweaks:

In your CSF configuration check for the following:-

# If you only want to count specific states (e.g. SYN_RECV) then add the states
# to the following as a comma separated list. E.g. “SYN_RECV,TIME_WAIT”
#
# Leave this option empty to count all states against CT_LIMIT
CT_STATES = “FIN_WAIT1,SYN_RECV”
Remember first check if it is a FIN_WAIT or SYN flood on your server it can be checked by following commands:
~~~~~~~~~~~~~~~~~~~
netstat -nap | grep FIN_WAIT1
netstat -nap | grep FIN_WAIT1 | wc -l
~~~~~~~~~~~~~~~~~~~
netstat -nap | grep SYN_RECV
netstat -nap | grep SYN_RECV | wc -l
~~~~~~~~~~~~~~~~~~~
Now next if the above tweak is not working then follow these steps:
First go with
~~~~~~~~~~~~~~~~~~~
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

~~~~~~~~~~~~~~~~~~~

and then

Try with all these IPtables rule , there may other attacks too.
~~~~~~~~~~~~~~~~~~~
iptables -A INPUT -p tcp –tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp –tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT -p tcp –tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp –tcp-flags FIN,RST FIN,RST -j DROP
iptables -A INPUT -p tcp –tcp-flags ACK,FIN FIN -j DROP
iptables -A INPUT -p tcp –tcp-flags ACK,PSH PSH -j DROP
iptables -A INPUT -p tcp –tcp-flags ACK,URG URG -j DROP
~~~~~~~~~~~~~~~~~~~
then,
~~~~~~~~~~~~~~~~~~~
service iptables save
service iptables restart

~~~~~~~~~~~~~~~~~~~

If Still The problem persists try the below mentioned steps:

A] TryDelimiting incoming Request:

~~~~~~~~~~~~~~~~~~~
iptables -I INPUT -p tcp -m state –state NEW –dport 80 -m recent –name http_flood –set

iptables -I INPUT -p tcp -m state –state NEW –dport 80 -m recent –name http_flood –update –seconds

10 –hitcount 3 -j DROP

iptables -A INPUT -p tcp –dport 80 -j ACCEPT

~~~~~~~~~~~~~~~~~~~

B] Filtering incomming TCP-SYN requests :

~~~~~~~~~~~~~~~~~~~

iptables -N syn_flood

iptables -A INPUT -p tcp –syn -j syn_flood

iptables -A syn_flood -m limit –limit 1/s –limit-burst 3 -j RETURN

iptables -A syn_flood -j DROP

~~~~~~~~~~~~~~~~~~~

C] Limiting the incoming icmp ping request:

~~~~~~~~~~~~~~~~~~~

iptables -A INPUT -p icmp -m limit –limit  1/s –limit-burst 1 -j ACCEPT

iptables -A INPUT -p icmp -m limit –limit 1/s –limit-burst 1 -j LOG –log-prefix PING-DROP:

iptables -A INPUT -p icmp -j DROP

iptables -A OUTPUT -p icmp -j ACCEPT

~~~~~~~~~~~~~~~~~~~

)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
Awesome link for installing DDOS stopper
Please refer http://adminhowtos.com/index.php?topic=57.0    
             http://www.inetbase.com/scripts/ddos/

)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))

Advertisements
 
Leave a comment

Posted by on September 29, 2011 in Uncategorized

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

 
%d bloggers like this: