Distributed Denial of Service (DDoS) attacks can cripple your server, disrupting operations and services. Understanding how to detect and mitigate these attacks is crucial for maintaining uptime and security. This blog provides a structured approach to identifying, combating, and preventing DDoS attacks.
Confirming a Potential Attack
Understanding Connection States: Use the netstat command to analyze the state of network connections:
netstat -an|awk '/tcp/ {print $6}'|sort|uniq -c
This command will list the number of connections in various states:
- ESTABLISHED: Valid connections to the server.
- SYN_SENT: Active attempts at establishing connections.
- SYN_RECV: Received connection requests.
- FIN_WAIT: Closing sockets.
- TIME_WAIT: Sockets waiting post-closure to handle remaining packets.
- LISTEN: Sockets listening for incoming connections.
- LAST_ACK: Awaiting acknowledgment after remote shutdown.
A high count in SYN_SENT, SYN_RECV, TIME_WAIT, or FIN_WAIT indicates a likely attack.
Initial Defensive Tweaks
Adjusting System Configuration: Tweak the /etc/sysctl.conf settings to reduce vulnerability:
# Enable TCP SYN cookie protection
net.ipv4.tcp_syncookies = 1
# Decrease the time default value for tcp_fin_timeout connection
net.ipv4.tcp_fin_timeout = 3
# Turn off the tcp_window_scaling and tcp_sack
net.ipv4.tcp_window_scaling = 0
net.ipv4.tcp_sack = 0
Apply changes with sysctl -p.
Identifying the Attack Vector
Determining the Source: If the attack comes from a single or few IPs, block them using the firewall. If the attack is distributed, deeper investigation is necessary.
Pinpointing the Targeted Port: When SYN_RECV connections are high, identify the targeted port with:
netstat -lpan | grep SYN_RECV | awk '{print $4}' | cut -d: -f2 | sort | uniq -c | sort -nk 1
Use tcpdump to further analyze traffic to a specific port:
tcpdump -nn -tttt -i any port 80
Mitigating the Attack
Adjusting Apache Settings: If the attack targets a web service, modify Apache configurations to handle increased load:
MaxClients 500KeepAlive OnKeepAliveTimeout 3/etc/init.d/httpd restart
Isolating the Affected Domain/IP: Use netstat to determine if a specific IP is targeted. Check Apache logs or use the top command to identify if a particular domain is under attack.
Advanced Defense Strategies
Employing ModSecurity and Firewall Rules:
- Disable ModSecurity’s automatic IP blocking.
- Add specific rules to block malicious traffic to targeted domains.
- Use iptables to block access to the domain on port 80:
iptables -I INPUT -p tcp --dport 80 -m string --string "domain.com" --algo bm -j DROP
Implementing Bandwidth Throttling: Limit connections to the targeted domain to reduce the load.
Nullrouting as a Last Resort: If the situation doesn't improve, nullroute the IP causing issues:
iptables -I INPUT -d XX.XX.XX.XX -j DROP
For dedicated IPs, remove them from /etc/ips and restart ipaliases. For shared IPs, consider reducing the TTL and reassigning domains.
Preventative Measures
Fortifying the Server with iptables: Add rules to mitigate future attacks:
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
Conclusion: DDoS attacks are a formidable threat, but with the right knowledge and tools, you can protect your server and ensure it remains secure and operational. Regularly update your configurations, monitor your traffic, and stay informed about new attack methods to maintain robust security.