Tutorial] Blocking Dos/DDos Attacks on a Linux Server

Well I thought this should have been in the web development section, since ddos attacks are more common on websites, but then again this seems like the correct section. So anyways if you as admin or victim and have a shell access to the server that is being DDOSED, here are some commands that you can type into the ssh window to check where the attacks are coming from.

First login to the ssh client, for admins you can try putty or the cpanel.
After you logged in type in the following command

Code:
netstat -atun | awk '{print $5}' | cut -d: -f1 | sed -e '/^$/d' |sort | uniq -c | sort -n

This will give you a list of IPs and the number of connections, that are connected to the server.

For example:
1 58.9.3.43
3 66.33.23.20
3 24.95.74.2
8 64.80.4.15
15 4.20.44.2
90 59.45.2.10

The connections may vary depending on the traffic but if the connections from an ip are more than 1-30 there is a HIGH chance its an attack from that ip.

In this case 90 is the number of connections and 59.45.2.10 is the attacker IP

Here is another command that can show you number of connections with SYN packets.

Code:
netstat -n | grep :80 | grep SYN |wc

The output of this command shouldn’t be more than 100 in an average case. More than 500 is a DDOS attack.

Blocking the attacking IPs

Now that we know the bad ips. We use iptables to block them.

Code:
iptables -A INPUT -s 59.45.2.10 -j DROP

Replace 59.45.2.10 with any ip address to be blocked.

To block IP on a specific port, type

Code:
iptables -A INPUT -p tcp -s 59.45.2.10 --dport 80 -j DROP

This will prevent 59.45.2.10 from connecting to port 80 which is the http port. You can use 21 for ftp, smtp etc etc…

Now we save this into the iptables

Code:
service iptables save

Then we restart the service.

Code:
service iptables restart

Unblocking the IPs

Lets say you block an ip by mistake. Now you need to unblock it.
Use the following two commands

Code:
iptables -D INPUT -p all -s 59.45.2.10  -j DROP
Code:
iptables -D OUTPUT -p all -s 59.45.2.10 -j DROP

replace 59.45.2.10 without your desired ip address to unban.

Again save and restart the iptables service.

Code:
service iptables save
Code:
service iptables restart

Another way which I haven’t tried is installing ddosdeflate which does the work for you.

Code:
wget http://www.inetbase.com/scripts/ddos/install.sh
chmod 0700 install.sh
./install.sh

You can do this to prevent DDOSers or atleast reduce their connections. Thanks for reading. 

07-31-2011 12:33 PM