In this guide I will cover 3 parts:
- Detecting a DDoS attack
- Protecting from a DDoS attack
- Testing resistance to DDoS
Detecting a DDoS attack on Linux
To detect DDoS attacks on your server you can use netstat:
netstat | grep http | wc -l
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
Using netstat -no We can check the number of SYN_RECV and TIME_WAIT active connections to the server.
netstat -no
Protecting Linux from a DDoS attack
Connection limits per IP can be set with IPTables, for example 3 connections per IP to port 80
iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 3 -j DROP
Drop new incoming connections that are not SYN packets:
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
Force Fragments packets check:
iptables -A INPUT -f -j DROP
Drop incoming malformed XMAS and NULLED packets:
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
Add limitations to /etc/sysctl.conf
net.ipv4.tcp_max_syn_backlog = 4096
net.ipv4.tcp_synack_retries = 2 or set CT_LIMIT in CSF:
Testing Linux resistance to DDoS
To test server’s resistance to DDoS attacks I use slowhttptest in Backbox installation:
slowhttptest -c 1000 -B -g -o output-file-name -i 100 -r 300 -s 10240 -u https://srv.pcx3.com/this/page.php -x 20
