A distributed denial-of-service (DDoS) attack is one in which a bunch of compromised systems attack the target machine/server, thereby causing denial of service for users of the targeted system. The flood of incoming messages to the target system essentially forces it to shut down, thereby denying service to the system to legitimate users.
The most common method of attack is to send a mass saturation of requests for external communication to the target server. These systems are flooded with requests for information from non-users, and often non-visitors to the website. The goal of this attack is to create a large enough presence of false traffic such that legitimate web traffic intended for actual web users is slowed down and delayed. If this type of service becomes too slow, time sensitive information such as live video footage may be rendered entirely useless to legitimate end users.
Denial of service attacks can be problematic, especially when they cause large websites to be unavailable during high-traffic times. Fortunately, security software has been developed to detect DoS attacks and limit their effectiveness or some basic linux commands to be executed to find the if the server is under DDOS attack.
There is one quick linux command via which you can check and confirm if your server is under DDOS attack or not.
netstat -anp |grep ‘tcp\|udp’ | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n
One important thing that you should check is the number of active connections that your server currently has, this can be found from the command shown below and the output value should be less than 500.
netstat -n | grep :80 |wc -l
The above command will show the active connections that are open to your server.
netstat -n | grep :80 | grep SYN |wc -l
There are many attackers present who typically start attack by starting a connection to the server and then do not send an acknowledgement making the server wait till it times out. Result of active connections from the first command will vary but if it shows connections more than 500, then you will be definitely having attacks against the server. If the result after you ran the second command is 100 or above then you are having problems with sync attack.
You can even block a particular IP on your server. If you wish to block a particular IP on you server, you can use the following command
route add ipaddress reject
Here is one example of how to block a particular IP on the server
for example:
route add 110.125.12.23 reject
Once you block a paricular IP on the server, you can even crosscheck if the IP is blocked or not by using the following command.
route -n |grep IPaddress
You can also block a IP with iptables on the server by using the following command.
iptables -A INPUT 1 -s IPADRESS -j DROP/REJECT service iptables restart service iptables save
After running the above command, KILL all httpsd connection and than restart httpsd service by using following command:
killall -KILL httpsd service httpsd startssl
SynFlood Attack
To test syn flood attack use the hping command
which is used for testing firewall rules. When attack starts you will see something as follows in /var/log/messages log file.
possible SYN flooding on port 80. Sending cookies.
hping can be run as follows (see man page for more info)
hping -i u1 -S -p 80 x.x.x.x
Syn Flood Protection:
You can turn on syncookies proection for SYN flood attack by adding the following line to /etc/sysctl.conf:
net.ipv4.tcp_syncookies = 1
Another option to set in /etc/sysctl.conf is the following
net.netfilter.nf_conntrack_tcp_timeout_syn_recv=40
Also we can limit the number of connections from an IP address to a port at a time by tweaking the variable CONNLIMIT in csf firewall.
CONNLIMIT = "80;75 21;50"
The above settings shows the server only allows 75 connections from an IP address to the port 80 and 50 connections to the port 21.
Enabling this variable in firewall also limits the attack against the server.
Another steps that can serve as a first step for preventing DDOS in case of Cpanel servers running Apache could be that, the admins can go ahead and install some of the popular Apache Pluggins like “Apachebooster” which may be downloaded from here