🐧 How to check and stop DDoS attacks on Linux

I recently wrote an article on how to detect and stop a DoS attack on Linux.

🐧 How to quickly check if your Linux server is under DoS attack from one IP address

DoS stands for Denial of Service and is a very common attack on servers that can render them unusable until the problem is fixed.

There is another similar type of attack called Distributed Denial of Service (DDoS) that is more difficult to detect and stop.

This type of attack uses the same idea as a denial of service attack, except that it distributes the attack across multiple servers.

Rather than seeing your server get attacked at one address, it comes from a distributed set of servers.

I’m going to show you how you can check and stop DDoS attacks on your Linux servers.

Be warned, DDoS protection is not as easy as it is with DoS.

In fact, with DDoS, you will not only have to use the netstat command, but also know your network very well and be able to make some assumptions about the nature of the detected connections.

In other words, protecting against DDoS attacks is not easy.

You can buy Windows 8 license and not think about DDos attacks on Linux servers

How to check subnets

netstat -ntu|awk '{print $5}'|cut -d: -f1 -s |cut -f1,2 -d'.'|sed 's/$/.0.0/'|sort|uniq -c|sort -nk1 -r

If the netstat command is not found, you need to install it using the command:

sudo apt-get install net-tools -y

You should see a list of all connections from addresses that contain the same first two octets, for example 192.168.xx

🐧 How to check and stop DDoS attacks on LinuxAs you can see, I have 13 connections to this server from the 192.168.xx subnet

To find connections from the / 24 subnet, use the following command:

netstat -ntu|awk '{print $5}'|cut -d: -f1 -s |cut -f1,2,3 -d'.'|sed 's/$/.0/'|sort|uniq -c|sort -nk1 -r

The above command will display all connections from the same subnet, but the first three octets (for example, 192.168.1.x).

If you find a large number of connections from any of these subnets, you’ve narrowed your search a bit.

Another netstat command will list all the IP addresses connected to the server.

This command:

netstat -anp |grep 'tcp|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c

You should see a list of all connected IP addresses and the number of their connections.

We then use netstat to count the number of connections each IP address has to your server.

This command:

sudo netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

The above command will actually list the IP addresses from all subnets that are sending connection requests to your server.

At this point, you should have a good idea of ​​where the connections are coming from and what IP addresses are associated with those connections.

You can have a large number of connections from one specific subnet.

If this subnet is not supposed to reach a server with this level of traffic, most likely, this is where the DDoS attack originates.

How to stop attacks

It is not as easy as finding and stopping a DoS attack.

However, the good news is that once you have identified where the DDoS attack is coming from, you stop it just like you stopped a DoS attack.

Just run the command:

sudo route add ADDRESS reject

Where ADDRESS is the address in question.

In a DDoS attack, you will have to run the above command for every suspicious address detected using netstat commands.

This can take a significant amount of time, depending on how many machines are attacking your server.

If you find that all attacks come from the same subnet (the one that should not have access to the server), you can block that entire subnet using iptables, for example:

sudo iptables -A INPUT -s ADDRESS/SUBNET -j DROP

Be sure to replace ADDRESS / SUBNET with the values ​​that you think your server is attacking.

Another issue to consider is if these attacks are coming from subnets on your LAN, why are these machines bombarding your server with attacks.

If so, you probably have a much bigger problem.

One of the best things you can do for these servers is to install fail2ban

πŸ”’ How to install Fail2Ban to secure SSH on CentOS / RHEL 8

β™Ÿ How to install Fail2Ban on CentOS 7

This tool will help automate the prevention of both unwanted logins and attacks.

Remember that mitigating DDoS attacks is not as easy as it is with DoS.

You will need to spend some time on teams to narrow the range of attacks, but this time will not be wasted.