If you suspect that your system might be under ddos attack it is definitely worth your time to further investigate the problem and take actions if necessary. Some of the symptoms of ddos attack (like slow network connection) might be cause by other conditions, but if they continue over longer period of time you can be pretty sure, that this is an attack.
First you should check your system load using uptime command. This will give you a line that looks something like this: 18:43:32 up 9 days, 21:09, 1 user, load average: 5.33, 6.42, 14.25. If the load average is bigger than usually (or if you haven’t checked it before – just ridiculously large like over 40 for a system that is not under heavy load under normal circumstances) you can suspect ddos attack.
Next thing you should do is check the active connections to your computer. You can do that with netstat -an command. Some other useful commands include netstat -anp |grep ‘tcp\|udp’ | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort –n which lists the connections taking most bandwidth.
Now you can see active connections to your server and the ones that take the most of your resources. If you can see several connections from one IP address or some connection taking much more bandwidth than it should add it to the list of blocked IP addresses using command route add ip-address-to-be-banned reject. After you have blacklisted all the suspicious IP addresses kill all connections to your HTTP server and restart it using killall -KILL httpd and service httpd startssl.
Alternatively you can install a shell script to do that for you. Sadly I don’t know the author of the script, so I can’t name him/her. What that script does is it automatically checks for double connections from same IP address and blocks them if it finds any. Install it using
wget http://www.inetbase.com/scripts/ddos/install.sh
chmod 0700 install.sh
./install.sh
0 comments ↓
There are no comments yet...Kick things off by filling out the form below.
Leave a Comment