Detection and prevention ddos attack

Discussion in 'Security' started by endlesslove, Jan 1, 2012.

0
  1. #1
    1. Detecting DDOS attack
    cause:
    -Server is overloaded due to lack of RAM
    -Server is overloaded due to the processing speed of the CPU does not guarantee
    -The speed of data access needs HDD not read / write of data.Check that server has been DDOS or not:
    [/B]netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n[B]
    Code (markup):
    other method
    netstat -n | grep :80 |wc -l
    Code (markup):
    netstat -n | grep :80 | grep SYN |wc -l
    Code (markup):

    2.     Prevention ddos attack

    Quick Fix is the IP block takes up more connection in the "prime time".
    Method 1:
    route add address-ip reject
    Code (markup):
    EX:
    route add 180.87.42.50 reject
    Code (markup):
    Method 2:
    iptables -A INPUT 1 -s address-ip -j DROP/REJECT service iptables restart
    Code (markup):
    service iptables save
    Code (markup):
    killall -KILL httpd  service httpd restart
    Code (markup):

     
    endlesslove, Jan 1, 2012 IP
  2. Tanya Roberts

    Tanya Roberts Active Member

    Messages:
    250
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    75
    #2
    I dunno but, you are up to something.
     
    Tanya Roberts, Jan 1, 2012 IP
  3. Orangu

    Orangu Active Member

    Messages:
    571
    Likes Received:
    21
    Best Answers:
    0
    Trophy Points:
    60
    #3
    It works but you'll need to manually add each ip every time you see an attack.

    This rule would limit the amount of connections to 32 from the same ip (tweak as needed):

    iptables -A INPUT -p tcp --dport 80 -m connlimit --connlimit-above 32 -j DROP
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
    Code (markup):
    ** This would not stop a distributed ddos as it only blocks connections from same ip.


    When you're under a distributed ddos attack u usally see a flood of HTTP GET requests from multiple different IPs.
    It'll be a matter of time for your server to reach its memory/bandwith physical limits, and it will eventually be unable to serve webpages to legitimate clients.

    In order to stop these attacks we can add the following rules to iptables (tweak dport 80 as needed if your servers run on a different port):

    iptables -A INPUT -p tcp -m tcp --dport 80 -m string --string "GET / HTTP" --algo kmp --to 1024 -m recent --set --name httpddos --rsource
iptables -A INPUT -p tcp -m tcp --dport 80 -m string --string "GET / HTTP" --algo kmp --to 1024 -m recent --update --seconds 10 --hitcount 2 --name httpddos --rsource -j DROP
    Code (markup):
    I am fully aware of the performance impact that scanning packets for strings can have, but unless your web receives a gazillion visits per day you'll probably won't notice any impact.
     
    Orangu, Jan 2, 2012 IP