A quick fix when under DDOS attack

[AnonImatOr]

A quick fix when under DDOS attack

 

A friend of mine asked me what he should do when experiencing a DDOS attack.

 

Well the excerpt itself would be long as on how to handle a DDOS attack, as each type of Denial of Service needs different handles… as experienced is a sys-admin, as throughout he/she would be able to handle the attack.

 

However, for all here is a simple straight forward methodology..

 

1) Find the IPs from which the SYN flood is coming from

 

and

 

2) Block those IPs

 

easy he?

 

So how do you do that on a linux machine?

 

Again, this is just a small excerpt

 

a simple command such as

view sourceprint?

1.netstat -n -p|grep SYN_REC | wc -l

 

would list all the active SYN_REC connections on the server… depending on the server’s size, 30 to 40 SYN_REC could be a sign of a DDOS attack.

 

Again, do not be fixed on numbers, different variant play when deciding to ring the DDOS emergency bell

view sourceprint?

1.netstat -n -p | grep SYN_REC | awk '{print $5}' | awk -F

 

will therefore list all the IPs that are maintaining the SYN_REC connections.

 

and why not, also add a uniq -c filter etc… and get fancier?

 

anyway.. once you decide an IP source is flooding your port, simply block it with an

view sourceprint?

1.iptables -I INPUT -s IP -j

cheers

 

i hope i help you cause i want to stop ddos attacks that kids doing them to have fun -.-

[Erol]

new acc?

btw if you know solution fix it for your server.  ;)

[Maxtor]

you have to limit connections per ip.

[AnonImatOr]

you have to limit connections per ip.

 

yes is easy

[Zeeyo]

yes is easy

 

Yeah, ban all the inet cafes from your server! Go on!

 

I've met many admins who think that limiting 20 conns/IP will save the world, but they don't know how stupid that sounds.

And don't forget that some ISPs use LAN strategies where they literally bind a city to an IP (they bind each customer to a static LAN IP). Ofc, it's not common in Greece, where ISPs act like yeah, we provide dynamic IPs, so we wont investigate any spam/dos/worm activities done by our customers and provide fake internet activity details to the law enforcement agencies.

[DarkCore]

yes is easy

 

Can you please tell me, how to do this in Linux ?

I mean how to limit connections per ip.

[z3r0dll]

Can you please tell me, how to do this in Linux ?

I mean how to limit connections per ip.

 

Configure the IP TABLES...

[DarkCore]

I need a guide, how to configure.

[ExTrEmEDwarf]

User is banned, u wont take answer from him

 

Although thread remains unlocked since it can help ppl, but it will stay outdated.

[Grim.]

but why this exists on development section?