Finding DDOS attacks
Below are some of the useful netstat commands to check during DDOS attack.
To list the connections to the target IPs (server's IP's) use the below command.
To list the connections from source IP's use the below command:
Block the IPs with high connection above using CSF or APF firewall.
To see the state of each connection and the value use the below command:
A sample output would look like:
Install necessary modules
You can use tcpdump to identify the attacker too:
tcpdump -v -n -i eth"x" -p host IP_Address
where x can be 0 or 1. If it is a VPS, it can be venet0 too. Check the Output of ifconfig.
Try installing the below Apache modules to mitigate the attack
Tweaking the kernel
To prevent SYN floods change the below kernel parameters:
Also increase Apache's MaxClients limit to 500
Further sysctl tweaks
Original values inside ()
Below are some of the recommended Sysctl tweaks for Web server + Database server
Below are some of the useful netstat commands to check during DDOS attack.
To list the connections to the target IPs (server's IP's) use the below command.
Code: [Select]
netstat -alpn | grep :80 | awk '{print $4}' |awk -F: '{print $(NF-1)}' |sort |uniq -c | sort -nTo list the connections from source IP's use the below command:
Code: [Select]
netstat -alpn | grep :80 | awk '{print $5}' |awk -F: '{print $(NF-1)}' |sort |uniq -c | sort -nBlock the IPs with high connection above using CSF or APF firewall.
Code: [Select]
csf -d IP
Code: [Select]
apf -d IPTo see the state of each connection and the value use the below command:
Code: [Select]
netstat -an|grep ":80"|awk '/tcp/ {print $6}'|sort| uniq -cA sample output would look like:
Quote
root@linux [~]# netstat -an|grep ":80"|awk '/tcp/ {print $6}'|sort| uniq -c
2 CLOSE_WAIT
1 ESTABLISHED
4 LISTEN
Install necessary modules
You can use tcpdump to identify the attacker too:
tcpdump -v -n -i eth"x" -p host IP_Address
where x can be 0 or 1. If it is a VPS, it can be venet0 too. Check the Output of ifconfig.
Try installing the below Apache modules to mitigate the attack
Quote
DOS-Deflate
mod_security
mod_dosevasive
Enable anti-DOS for APF
Tweaking the kernel
To prevent SYN floods change the below kernel parameters:
Quote
sysctl -w net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_recv=45
sysctl -w net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=332000
sysctl -w net.ipv4.tcp_fin_timeout=15
sysctl -w net.ipv4.tcp_synack_retries=5
sysctl -w net.ipv4.tcp_fin_timeout=15
sysctl -w net.ipv4.tcp_keepalive_time=1500
sysctl -w net.ipv4.tcp_sack=0
sysctl -w net.ipv4.tcp_max_tw_buckets=1440000
sysctl -w net.ipv4.tcp_max_syn_backlog=2048
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
Also increase Apache's MaxClients limit to 500
Further sysctl tweaks
Original values inside ()
Quote
net.ipv4.tcp_fin_timeout=20 (30)
net.ipv4.tcp_keepalive_time = 1800 (3600)
net.ipv4.tcp_fin_timeout=20 (30)
net.ipv4.tcp_keepalive_time=1800 (3600)
net.ipv4.tcp_keepalive_intvl=40 (75)
net.ipv4.tcp_tw_recycle=1 (0)
net.ipv4.tcp_tw_reuse=1 (0)
net.ipv4.tcp_max_syn_backlog=4096 (2048)
Below are some of the recommended Sysctl tweaks for Web server + Database server
Quote
net.ipv4.inet_peer_gc_maxtime = 240 (120)
net.ipv4.inet_peer_maxttl = 500 (600)
net.ipv4.inet_peer_minttl = 80 (120)
No comments:
Post a Comment