{"id":368,"date":"2016-12-29T23:06:00","date_gmt":"2016-12-29T21:06:00","guid":{"rendered":"http:\/\/itsimple.info\/?p=368"},"modified":"2017-01-04T10:31:08","modified_gmt":"2017-01-04T08:31:08","slug":"how-to-stop-ddos-attack-on-you-linux","status":"publish","type":"post","link":"https:\/\/itsimple.info\/?p=368","title":{"rendered":"How to stop DDos Attack on linux"},"content":{"rendered":"

To find out if your server is under attack<\/strong> or not. You can also list abusive IP address<\/strong> using this method.<\/h3>\n
# netstat -nat | awk '{print $6}' | sort | uniq -c | sort -n<\/span>\r\n\r\n<\/code><\/pre>\n
Output:<\/p>\n
      1 CLOSE_WAIT\r\n      1 established)\r\n      1 Foreign\r\n      3 FIN_WAIT1\r\n      3 LAST_ACK\r\n     13 ESTABLISHED\r\n     17 LISTEN\r\n    154 FIN_WAIT2\r\n    327 TIME_WAIT<\/pre>\n
\u00a0<\/code><\/pre>\n
Dig out more information about a specific ip address:
\n# netstat -nat |grep {IP-address} | awk '{print $6}' | sort | uniq -c | sort -n<\/span><\/code><\/p>\n
      2 LAST_ACK\r\n      2 LISTEN\r\n      4 FIN_WAIT1\r\n     14 ESTABLISHED\r\n     91 TIME_WAIT\r\n    130 FIN_WAIT2<\/pre>\n
Busy server can give out more information:
\n# netstat -nat |grep 202.54.1.10 | awk '{print $6}' | sort | uniq -c | sort -n<\/span><\/code>
\nOutput:<\/p>\n
  15 CLOSE_WAIT\r\n  37 LAST_ACK\r\n  64 FIN_WAIT_1\r\n  65 FIN_WAIT_2\r\n1251 TIME_WAIT\r\n3597 SYN_SENT\r\n5124 ESTABLISHED<\/pre>\n
Get List Of All Unique IP Address<\/h4>\n
To print list of all unique IP address connected to server, enter:
\n# netstat -nat | awk '{ print $5}' | cut -d: -f1 | sed -e '\/^$\/d' | uniq<\/span><\/code>
\nTo print total of all unique IP address, enter:
\n# netstat -nat | awk '{ print $5}' | cut -d: -f1 | sed -e '\/^$\/d' | uniq | wc -l<\/code>
\nOutput:<\/p>\n
449<\/pre>\n
Find Out If Box is Under DoS Attack or Not<\/h4>\n
If you think your Linux box is under attack, print out a list of open connections on your box and sorts them by according to IP address, enter:
\n# netstat -atun | awk '{print $5}' | cut -d: -f1 | sed -e '\/^$\/d' |sort | uniq -c | sort -n<\/span><\/code>
\nOutput:<\/p>\n
    1 10.0.77.52\r\n      2 10.1.11.3\r\n      4 12.109.42.21\r\n      6 12.191.136.3\r\n.....\r\n...\r\n....\r\n    13 202.155.209.202\r\n     18 208.67.222.222\r\n     28 0.0.0.0\r\n    233 127.0.0.1\r\n<\/pre>\n
Display Summary Statistics for Each Protocol<\/h4>\n
Simply use netstat -s:
\n# netstat -s | less
\n# netstat -t -s | less
\n# netstat -u -s | less
\n# netstat -w -s | less
\n# netstat -s<\/span><\/code><\/p>\n
Display Interface Table<\/h4>\n
You can easily display dropped and total transmitted packets with netstat for all interfaces:
\n# netstat --interfaces<\/span>
\n<\/code><\/p>\n
Stop the Attack With Null Route IP using route command<\/u><\/strong><\/h2>\n
Suppose that bad IP is 65.21.34.4, type the following command at shell:<\/p>\n
# route add 65.21.34.4 gw 127.0.0.1 lo<\/span><\/pre>\n
You can verify it with the following command:<\/p>\n
# netstat -nr<\/span><\/pre>\n
OR<\/p>\n
# route -n<\/span><\/pre>\n
You can also use reject target (a hat tip to Gabriele):<\/p>\n
# route add -host IP-ADDRESS reject\r\n# route add -host 64.1.2.3 reject<\/span><\/pre>\n
To confirm the null routing status, use the ip command as follows:<\/p>\n
# ip route get 64.1.2.3<\/span><\/pre>\n
Output:<\/p>\n
RTNETLINK answers: Network is unreachable<\/span><\/pre>\n
To drop entire subnet 192.67.16.0\/24, type:<\/p>\n
# route add -net 192.67.16.0\/24 gw 127.0.0.1 lo<\/span><\/pre>\n
Null routing using ip command
\nWhile traversing the RPDB, any route lookup which matches a rule with the blackhole rule type will cause the packet to be dropped. No ICMP will be sent and no packet will be forwarded. The syntax is follows for the ip command:<\/p>\n
# ip route add blackhole 202.54.5.2\/29\r\n# ip route add blackhole from 202.54.1.2\r\n# ip rule add blackhole to 10.18.16.1\/29\r\n# ip route<\/span><\/pre>\n
How do I remove null routing? How do I remove blocked IP address?<\/p>\n
Simple use the route delete command as follows:<\/p>\n
# route delete 65.21.34.4<\/span><\/pre>\n
OR<\/p>\n
# route del -host 65.21.34.4 reject<\/span><\/pre>\n
Or use NA command to delete route:<\/p>\n
# ip route delete 1.2.3.4\/26 dev eth0<\/span><\/pre>\n
 <\/p>\n","protected":false},"excerpt":{"rendered":"
To find out if your server is under attack or not. You can also list abusive IP address using this method. # netstat -nat | awk ‘{print $6}’ | sort | uniq -c | sort -n Output: 1 CLOSE_WAIT 1 established) 1 Foreign 3 FIN_WAIT1 3 LAST_ACK 13 ESTABLISHED 17 LISTEN 154 FIN_WAIT2 327 TIME_WAIT […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[16,13,22],"tags":[],"class_list":["post-368","post","type-post","status-publish","format-standard","hentry","category-centos","category-linux","category-security"],"_links":{"self":[{"href":"https:\/\/itsimple.info\/index.php?rest_route=\/wp\/v2\/posts\/368","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/itsimple.info\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/itsimple.info\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/itsimple.info\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/itsimple.info\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=368"}],"version-history":[{"count":0,"href":"https:\/\/itsimple.info\/index.php?rest_route=\/wp\/v2\/posts\/368\/revisions"}],"wp:attachment":[{"href":"https:\/\/itsimple.info\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=368"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/itsimple.info\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=368"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/itsimple.info\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=368"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}