October 8, 2008

A quick fix when under DDOS attack

A friend of mine asked me what he should do when experiencing a DDOS attack.

Well the excerpt itself would be long as on how to handle a DDOS attack, as each type of Denial of Service needs different handles… as experienced is a sys-admin, as throughout he/she would be able to handle the attack.

However, for all here is a simple straight forward methodology..

1) Find the IPs from which the SYN flood is coming from

and

2) Block those IPs

easy he?

So how do you do that on a linux machine?

Again, this is just a small excerpt

a simple command such as

[sourcecode=“bash”]

netstat -n -p|grep SYN_REC | wc -l

[/sourcecode]

would list all the active SYN_REC connections on the server… depending on the server’s size, 30 to 40 SYN_REC could be a sign of a DDOS attack.

Again, do not be fixed on numbers, different variant play when deciding to ring the DDOS emergency bell

[sourcecode=“bash”]

netstat -n -p | grep SYN_REC | awk ‘{print $5}’ | awk -F: ‘{print $1}’

[/sourcecode]

will therefore list all the IPs that are maintaining the SYN_REC connections.

and why not, also add a uniq -c filter etc… and get fancier?

anyway.. once you decide an IP source is flooding your port, simply block it with an

[sourcecode=“bash”]

iptables -I INPUT -s IP -j DROP

[/sourcecode]

cheers,