DDoS

Diagnostic


To display how many http connections are open at the moment, enter:

netstat | grep http | wc -l

also

netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

You can perform simple

netstat -no

command and take a look how many SYN_RECV and TIME_WAIT active connection active to your server.

View SYN:

netstat -no | grep SYN


Protection


you can set the connection limits for IP with IPTables. Current setting will limit incoming connections for port 80 up to 3 per 1 ip

iptables  -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 3 -j DROP

Make sure NEW incoming tcp connections are SYN packets; otherwise we need to drop them:

iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

Force Fragments packets check

iptables -A INPUT -f -j DROP

drop incoming malformed XMAS packets:

iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

Drop NULLED packets:

iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

 

Add the limitations to /etc/sysctl.conf

net.ipv4.tcp_max_syn_backlog = 4096     
net.ipv4.tcp_synack_retries = 2                


You can also use CSF firewall. Just set next parameter:

CT_LIMIT = 5

 



Testing


To test your server for vulnerability, you can use Backbox Linux, it has a various testing tools preinstalled.
For example, to test your domain for resistance to DDoS attacks you can use slowhttptest which is in Backbox installation. Example command:

slowhttptest -c 1000 -B -g -o output-file-name -i 100 -r 300 -s 10240 -u http://www.example.com/url/page.html -x 20

Now here are detailed options:

-a start start value of ranges-specifier for range header test
-b bytes limit of range-specifier for range header test
-c number of connections limited to 1024
-H, B, or R specify to slow down in headers section or in message body.
           -R enables range test
-g generate statistics in CSV and HTML formats, pattern is slow_xxx.csv/html,
  where xxx is the time and date
-i seconds interval between follow up data in seconds, per connection
-l seconds test duration in seconds
-o file custom output file path and/or name, effective if -g is specified
-r connections per second connection rate
-s bytes value of Content-Length header, if -B specified
-t verb custom verb to use
-u URL target URL, the same format you type in browser, e.g https://host:port/
-v level verbosity level of log 0-4
-x bytes max length of follow up data

You can also make tests with next nmap and hping2:

 nmap -v -f FIREWALL-IP
 nmap -v -sX FIREWALL-IP
 nmap -v -sN FIREWALL-IP
 hping2 -X FIREWALL-IP

Was this answer helpful?

 Print this Article

Also Read

Epel Centos

Some packages are missing from the base repository. This guide shows how to install RHEL EPEL...

How to check connectivity/network speed of your VPS

If you concerned about network speed of your vps you can test it by downloading some test...

Oracle 11g EX on Centos 6 x64 vps

We describe how to install Oracle 11g Express on Centos 6 x86_64 Openvz VPS. First of all you...

Iptables

Iptables is a Linux based packet filtering firewall. It is a service (daemon)...

Security tips for Linux server

1. Use only  strong passwords for all accounts , especially for root. Always use a secure root...