How to stop DDos Attack on linux

0 CentOS, Linux, Security,

To find out if your server is under attack or not. You can also list abusive IP address using this method.

# netstat -nat | awk '{print $6}' | sort | uniq -c | sort -n

Output:

      1 CLOSE_WAIT
      1 established)
      1 Foreign
      3 FIN_WAIT1
      3 LAST_ACK
     13 ESTABLISHED
     17 LISTEN
    154 FIN_WAIT2
    327 TIME_WAIT
 

Dig out more information about a specific ip address:
# netstat -nat |grep {IP-address} | awk '{print $6}' | sort | uniq -c | sort -n

      2 LAST_ACK
      2 LISTEN
      4 FIN_WAIT1
     14 ESTABLISHED
     91 TIME_WAIT
    130 FIN_WAIT2

Busy server can give out more information:
# netstat -nat |grep 202.54.1.10 | awk '{print $6}' | sort | uniq -c | sort -n
Output:

  15 CLOSE_WAIT
  37 LAST_ACK
  64 FIN_WAIT_1
  65 FIN_WAIT_2
1251 TIME_WAIT
3597 SYN_SENT
5124 ESTABLISHED

Get List Of All Unique IP Address

To print list of all unique IP address connected to server, enter:
# netstat -nat | awk '{ print $5}' | cut -d: -f1 | sed -e '/^$/d' | uniq
To print total of all unique IP address, enter:
# netstat -nat | awk '{ print $5}' | cut -d: -f1 | sed -e '/^$/d' | uniq | wc -l
Output:

449

Find Out If Box is Under DoS Attack or Not

If you think your Linux box is under attack, print out a list of open connections on your box and sorts them by according to IP address, enter:
# netstat -atun | awk '{print $5}' | cut -d: -f1 | sed -e '/^$/d' |sort | uniq -c | sort -n
Output:

    1 10.0.77.52
      2 10.1.11.3
      4 12.109.42.21
      6 12.191.136.3
.....
...
....
    13 202.155.209.202
     18 208.67.222.222
     28 0.0.0.0
    233 127.0.0.1

Display Summary Statistics for Each Protocol

Simply use netstat -s:
# netstat -s | less
# netstat -t -s | less
# netstat -u -s | less
# netstat -w -s | less
# netstat -s

Display Interface Table

You can easily display dropped and total transmitted packets with netstat for all interfaces:
# netstat --interfaces

Stop the Attack With Null Route IP using route command

Suppose that bad IP is 65.21.34.4, type the following command at shell:

# route add 65.21.34.4 gw 127.0.0.1 lo

You can verify it with the following command:

# netstat -nr

OR

# route -n

You can also use reject target (a hat tip to Gabriele):

# route add -host IP-ADDRESS reject
# route add -host 64.1.2.3 reject

To confirm the null routing status, use the ip command as follows:

# ip route get 64.1.2.3

Output:

RTNETLINK answers: Network is unreachable

To drop entire subnet 192.67.16.0/24, type:

# route add -net 192.67.16.0/24 gw 127.0.0.1 lo

Null routing using ip command
While traversing the RPDB, any route lookup which matches a rule with the blackhole rule type will cause the packet to be dropped. No ICMP will be sent and no packet will be forwarded. The syntax is follows for the ip command:

# ip route add blackhole 202.54.5.2/29
# ip route add blackhole from 202.54.1.2
# ip rule add blackhole to 10.18.16.1/29
# ip route

How do I remove null routing? How do I remove blocked IP address?

Simple use the route delete command as follows:

# route delete 65.21.34.4

OR

# route del -host 65.21.34.4 reject

Or use NA command to delete route:

# ip route delete 1.2.3.4/26 dev eth0

 

Leave a Reply

Your email address will not be published. Required fields are marked *