DDoS attacks pose a serious threat to websites and servers, overwhelming them with traffic and making them inaccessible to users. To prevent and stop such attacks, it is essential to use the right tools and strategies.
By implementing the following commands and approaches, you can significantly enhance your network security and protect your resources from malicious activities. Regularly monitoring logs, analyzing traffic, and adjusting defense mechanisms will help you stay ahead of potential attacks.
Traffic Filtering and Control
- iptables -A INPUT -p tcp –dport 80 -m connlimit –connlimit-above <num> -j DROP
Limits the number of simultaneous connections to port 80, preventing connection exhaustion attacks. - fail2ban-client set <jail> addignoreip <IP>
Adds an IP address to the Fail2Ban ignore list to prevent blocking legitimate traffic. - ufw limit <port>/tcp
Configures rate limiting in UFW on a specific port to protect against SYN flood attacks.
Monitoring and Analysis
- nginx -t
Verifies the syntax of Nginx configuration files before applying changes. - apache2ctl configtest
Checks the syntax of Apache configuration files for errors before reloading the web server. - tail -f /var/log/httpd/access_log
Displays real-time updates of the Apache access log, allowing immediate monitoring of incoming HTTP requests. - tcpdump -i eth0 -n ‘tcp[13] & 2 != 0’
Captures only SYN packets to identify potential SYN flood attacks on the eth0 network interface.
Detecting Suspicious Traffic
- curl -I <URL>
Retrieves HTTP response headers for a specific URL, helping diagnose potential server misconfigurations. - iftop -i eth0
Monitors network traffic on interface eth0 in real time, providing insights into bandwidth usage and unusual patterns. - netstat -an | grep :443 | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -nr
Displays the number of active connections to port 443 and lists IP addresses with the highest connection counts.
Blocking Malicious IPs and Requests
- mod_evasive
An Apache module that detects and blocks suspicious requests from specific IP addresses. - iptables -A INPUT -p tcp –dport <port> -m recent –set
Configures iptables to track packets from a specific port and mark them as recent. - fail2ban-client status
Displays the status of Fail2Ban, showing banned IPs and active jails. - ufw deny from <IP>
Blocks incoming traffic from a specific IP address using UFW.
Applying Configuration Changes Without Downtime
- nginx -s reload
Reloads the Nginx configuration to apply changes without interrupting active connections. - apache2ctl graceful
Gracefully restarts the Apache web server, allowing active connections to complete before the restart. - tail -f /var/log/nginx/access.log
Monitors the Nginx access log in real time to observe incoming requests and identify suspicious activity.
Network-Level DDoS Protection
- tcpdump -i eth0 -n ‘udp’
Captures UDP packets on the eth0 interface, useful for monitoring UDP-based attacks. - curl -L <URL>
Follows redirects and retrieves the final destination URL, helping analyze potential URL-based attacks. - iftop -F <filter>
Filters network traffic on the specified interface, allowing focused analysis. - netstat -s | grep “failed connection attempts”
Checks the number of failed connection attempts, which may indicate attempted DDoS attacks. - iptables -A INPUT -p tcp –dport <port> -m state –state NEW -m recent –update –seconds <seconds> –hitcount <count> -j DROP
Drops packets if the number of new TCP connections to a specific port exceeds a certain threshold within a given time frame.
Additional Protection Tools
- grep “POST” /var/log/httpd/access_log | awk ‘{print $1}’ | sort | uniq -c | sort -nr
Analyzes the Apache access log to count the number of POST requests from unique IPs, helping identify potential HTTP-based attacks. - ss -antp
Displays all established TCP connections along with associated processes, helping identify suspicious connections. - netstat -s | grep “segments dropped”
Checks for dropped network segments, which could indicate network saturation or congestion caused by a DDoS attack. - tail -f /var/log/nginx/error.log
Monitors the Nginx error log in real time to detect abnormal errors or warnings that may indicate a DDoS attack. - ipset create blacklist hash:ip hashsize 4096
Creates an IPset blacklist to store IP addresses to be blocked, providing a scalable solution for blocking malicious IPs. - iptables -A INPUT -m set –match-set blacklist src -j DROP
Blocks traffic from IP addresses present in the IPset blacklist. - sysctl -w net.ipv4.tcp_max_syn_backlog=<value>
Adjusts the maximum number of pending TCP SYN requests to mitigate SYN flood attacks by limiting the backlog size. - curl -X GET –header “X-Forwarded-For: <IP>” <URL>
Sends an HTTP GET request to a URL with a specified client IP address in the X-Forwarded-For header, useful for testing DDoS protection measures. - iftop -B
Enables the display of traffic bandwidth rates in bytes rather than bits, providing a more intuitive representation of network traffic. - iptables -A INPUT -p icmp –icmp-type echo-request -m limit –limit <rate> -j ACCEPT
Sets a rate limit for incoming ICMP echo requests (ping) to prevent ICMP flood attacks. - tcpdump -i eth0 -n ‘icmp’
Captures ICMP packets on the eth0 interface, allowing analysis of ICMP-based attacks.
Conclusion
Using these commands and methods, combined with regular monitoring, will help effectively protect servers from DDoS attacks. The sooner suspicious activity is detected, the faster you can take action to neutralize the threat.
If you found this content valuable and insightful, please give us 10 claps—your support helps us continue delivering high-quality content for the community. 🚀
