DDOS attack type and iptables anti-ddos script

Source: Internet
Author: User

1. Common DDos attack types

SYN Flood: it is currently the most popular DoS (DoS attacks) and is a type of TCP connection request that uses TCP protocol defects to send a large number of forged TCP connection requests, so that the attacked party's resources are exhausted (the CPU is full or the memory is insufficient.

Smurf: This attack sends a packet with a specific request (such as an ICMP Response Request) to a subnet broadcast address, and disguise the source address as the host address to be attacked. All hosts on the subnet respond to the broadcast packet request and send packets to the attacked host, which causes the host to be attacked.

Land-based: the attacker sets both the source address and destination address of a package as the address of the target host, and then sends the package to the attacked host through IP spoofing, this type of package can cause the attacked host to fall into an endless loop by trying to establish a connection with itself, thus greatly reducing system performance.

Ping of Death: According to TCP/IP specifications, the maximum length of a package is 65536 bytes. Although the length of a package cannot exceed 65536 bytes, the overlapping of multiple segments of a package can be achieved. When a host receives a packet larger than 65536 bytes, it is under the Ping of Death attack, which will cause host downtime.

Teardrop: When an IP packet is transmitted over the network, the packet can be divided into smaller segments. Attackers can perform TearDrop attacks by sending two (or more) packets. The offset of the first package is 0, the length is N, and the offset of the second package is less than N. To merge these data segments, the TCP/IP stack allocates unusually large resources, resulting in a lack of system resources or even machine restart.

2. How to detect whether a DDos attack has been detected

Method 1: Here is a very practical command.

# Netstat-an | grep SYN_RECV | wc-l

If the displayed data is large, you may be lucky.

Method 2: Use monitoring software, such as mrtg or cacti. For example, the following shows that the traffic suddenly increases at a certain time.

650) this. width = 650; "style =" border-top-width: 0px; border-bottom-width: 0px; border-left-width: 0px; border-right -: "title =" image "border =" 0 "alt =" image "width =" 370 "height =" 92 "src =" http://www.bkjia.com/uploads/allimg/131227/0P3244129-0.png "/>

3. There is a very practical script to prevent DDos attacks.

#! /Bin/bash

Netstat-an | grep SYN_RECV | awk '{print $5}' | awk-F: '{print $1}' | sort | uniq-c | sort-rn | awk '{if ($1> 1) print $2 }'

For I in $ (cat/tmp/dropip)


/Sbin/iptables-a input-s $ I-j DROP

Echo "$ I kill at 'date'">/var/log/ddos


The script calculates the number of ip addresses in SYN_RECV and reaches 5, and writes the INPUT chain to iptables for rejection.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.