Jump to content

Recommended Posts

Posted

A quick fix when under DDOS attack

 

A friend of mine asked me what he should do when experiencing a DDOS attack.

 

Well the excerpt itself would be long as on how to handle a DDOS attack, as each type of Denial of Service needs different handles… as experienced is a sys-admin, as throughout he/she would be able to handle the attack.

 

However, for all here is a simple straight forward methodology..

 

1) Find the IPs from which the SYN flood is coming from

 

and

 

2) Block those IPs

 

easy he?

 

So how do you do that on a linux machine?

 

Again, this is just a small excerpt

 

a simple command such as

view sourceprint?

1.netstat -n -p|grep SYN_REC | wc -l

 

would list all the active SYN_REC connections on the server… depending on the server’s size, 30 to 40 SYN_REC could be a sign of a DDOS attack.

 

Again, do not be fixed on numbers, different variant play when deciding to ring the DDOS emergency bell

view sourceprint?

1.netstat -n -p | grep SYN_REC | awk '{print $5}' | awk -F

 

will therefore list all the IPs that are maintaining the SYN_REC connections.

 

and why not, also add a uniq -c filter etc… and get fancier?

 

anyway.. once you decide an IP source is flooding your port, simply block it with an

view sourceprint?

1.iptables -I INPUT -s IP -j

cheers

 

i hope i help you cause i want to stop ddos attacks that kids doing them to have fun -.-

Posted

yes is easy

 

Yeah, ban all the inet cafes from your server! Go on!

 

I've met many admins who think that limiting 20 conns/IP will save the world, but they don't know how stupid that sounds.

And don't forget that some ISPs use LAN strategies where they literally bind a city to an IP (they bind each customer to a static LAN IP). Ofc, it's not common in Greece, where ISPs act like yeah, we provide dynamic IPs, so we wont investigate any spam/dos/worm activities done by our customers and provide fake internet activity details to the law enforcement agencies.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...