Ddos Attacks

Ideal place for discussions related to Linux/Windows server security, Apache, MySQL, MS SQL and PHP, including tutorials and questions.
hr-ethadmin
Site Admin
Posts: 67
Joined: Fri May 31, 2013 1:04 pm

Ddos Attacks

Postby hr-ethadmin » Sat Jun 01, 2013 11:19 am

Dos Attack

1 - Check apache status

If you see a lot of ? marks in there, chances are the server is being dossed.

Click here for an example of apache under dos attack

Use the command: netstat -plan|grep :80|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -nk 1

This will tell you how many httpd connections there are to the server.

This command may also be useful: lsof -i :80



2 - Block any IP's that have 20 or more connections using:

route add -host reject

3 - Then:

edit /usr/local/apache/conf/httpd.conf

and change:

KeepAlive On TO KeepAlive Off

then:

/scripts/restartsrv httpd

===========================================
Another thing to try:


echo 1 > /proc/sys/net/ipv4/tcp_syncookies

Put following in /etc/sysctl.conf
# Enable TCP SYN cookie protection
net.ipv4.tcp_syncookies = 1

# Decrease the time default value for tcp_fin_timeout connection
net.ipv4.tcp_fin_timeout = 30

# Turn off the tcp_window_scaling
net.ipv4.tcp_window_scaling = 0

# Turn off the tcp_sack
net.ipv4.tcp_sack = 0

Then execute the command :-
# /sbin/sysctl -p

You can also execute the following commands to minimize the syn attack in the future :-
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP

Return to “System Security”

Who is online

Users browsing this forum: No registered users and 2 guests