Methods of detecting and preventing DDoS attacks under Linux

1, use the Netstat tool to detect the SYN connection

Netstat-n-p-t
Active Internet connections (w/o servers)
Proto recv-q Send-q Local address Foreign address State Pid/program Name
TCP 0 0 192.168.0.200:5050 192.168.0.38:48892 time_wait-
TCP 0 0 192.168.0.200:5050 192.168.0.38:36604 time_wait-
TCP 0 0 192.168.0.200:5050 192.168.0.38:52988 time_wait-
TCP 0 0 192.168.0.200:5050 192.168.0.38:38911 time_wait-
TCP 0 0 192.168.0.200:5050 192.168.0.38:58623 time_wait-
TCP 0 0 192.168.0.200:43690 192.168.0.200:61616 established 10415/java

Of course I have a normal connection above. Of course, if the time_wait is too much, certainly not normal. (either an attack or a parameter tuning is required.) ）

In the case of DDoS malicious attack will see in the system, many connections in the SYN_RECV state (in the Windows system is syn_received State) Source IP address is random, indicating that this is a kind of SYN attack with IP spoofing.

TCP 0 10.11.11.11:23 124.173.152.8:25882 syn_recv-
TCP 0 10.11.11.11:23 236.15.133.204:2577 syn_recv-
TCP 0 10.11.11.11:23 127.160.6.129:51748 syn_recv-

The port State of the specific host has the following:

CLOSED: No connection is active or in progress
LISTEN: The server is waiting to enter the call
SYN_RECV: A connection request has arrived, waiting for confirmation
Syn_sent: Application has started, open a connection
Established: Normal data transfer status
FIN_WAIT1: Application says it's done
Fin_wait2: The other side has agreed to release
Itmed_wait: Waiting for all groups to die
CLOSING: Both sides try to close at the same time
Time_wait: The other side has initialized a release
Last_ack: Waiting for all groups to die

A little more detailed explanation can look at Baidu Encyclopedia on the established state of interpretation and extension.

The specific SYN_RECV state of the statistics are more, I introduce two kinds of scripting here:

Netstat-an | awk '/^tcp/{++s[$NF]} end {for (a in S) print A, s[a]} '

The above script lists the number of connections in all States.

Netstat-n-p-t | grep SYN_RECV | grep:80 | Wc-l

Of course, above 80 is specifically the Web site is subject to DDoS attacks.

2. Protection against DDoS SYN attack under Linux

Prevention is mainly from two aspects, one is Sysctl's own configuration on the Syn, the second is the firewall strategy.

Sysctl-w Net.ipv4.tcp_syncookies=1 # TCP Syncookie, default shutdown
Sysctl-w net.ipv4.tcp_max_syn_backlog=1280 # SYN Queue, default 1024,> 1280 may not work stably, need to modify kernel source parameters
Sysctl-w net.ipv4.tcp_synack_retries=2 # syn-ack Handshake State retry number, default 5, 1 or 2 when subjected to Syn-flood attack
Sysctl-w net.ipv4.tcp_syn_retries=2 # outgoing SYN handshake retry times, default 4

The above is a number of places that are often mentioned on the Internet, and of course the ones that are not mentioned can be viewed through the following commands.

[Root@web3 nginx]# sysctl-a|grep syn
NET.IPV4.NETFILTER.IP_CONNTRACK_TCP_TIMEOUT_SYN_RECV = 60
Net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_sent = 120
Net.ipv4.tcp_max_syn_backlog = 1024
Net.ipv4.tcp_syncookies = 1
Net.ipv4.tcp_synack_retries = 5
Net.ipv4.tcp_syn_retries = 5
Fs.quota.syncs = 25

If not attacked, the above parameters are not recommended for modification. It is said to have the risk of increasing the instability of the host.

Firewall Policy:

#缩短SYN-timeout Time:
Iptables-a forward-p tcp--syn-m limit--limit 1/s-j ACCEPT
Iptables-a input-i eth0-m limit--limit 1/sec--limit-burst 5-j ACCEPT
#每秒最多3个syn封包进入:
Iptables-n syn-floodiptables-a input-p TCP--syn-j Syn-flood
Iptables-a syn-flood-p tcp--syn-m limit--limit 1/s--limit-burst 3-j returniptables-a syn-flood-j

method Two, using Iptables anti-DDoS attack more detailed version

RH 8.0 above begins to enable iptables substitution ipchains, which are very similar and have different places.
* Enable Iptables
If there are no iptables files under/etc/sysconfig/, you can create:
# Firewall configuration written by Lokkit
# Manual Customization of this file is not recommended.
# Note:ifup-post'll punch the current nameservers through the
# firewall; Such entries'll *not* is listed here.
*filter
: INPUT ACCEPT [0:0]
: FORWARD ACCEPT [0:0]
: OUTPUT ACCEPT [0:0]
: Rh-lokkit-0-50-input-[0:0]
-A input-j Rh-lokkit-0-50-input
-A rh-lokkit-0-50-input-i lo-j ACCEPT
-A rh-lokkit-0-50-input-p tcp-m tcp--dport ftp-j ACCEPT
-A rh-lokkit-0-50-input-p tcp-m tcp--dport ssh-j ACCEPT
-A rh-lokkit-0-50-input-p tcp-m tcp--dport http-j ACCEPT
-A rh-lokkit-0-50-input-p tcp-m tcp--dport smtp-j ACCEPT
-A rh-lokkit-0-50-input-p tcp-m tcp--dport pop3-j ACCEPT
-A rh-lokkit-0-50-input-p tcp-m tcp--dport mysql-j ACCEPT
-A rh-lokkit-0-50-input-p tcp-m tcp--dport 2001-j ACCEPT
-A rh-lokkit-0-50-input-p tcp-m tcp--dport domain-j ACCEPT
-A rh-lokkit-0-50-input-p udp-m UDP--dport domain-j ACCEPT
-A rh-lokkit-0-50-input-p tcp-m tcp--dport 0:1023--syn-j REJECT
-A rh-lokkit-0-50-input-p tcp-m tcp--dport 2049--syn-j REJECT
-A rh-lokkit-0-50-input-p udp-m UDP--dport 0:1023-j REJECT
-A rh-lokkit-0-50-input-p udp-m UDP--dport 2049-j REJECT
-A rh-lokkit-0-50-input-p tcp-m tcp--dport 6000:6009--syn-j REJECT
-A rh-lokkit-0-50-input-p tcp-m tcp--dport 7100--syn-j REJECT
COMMIT
The above configuration allows FTP, SSH, HTTP, SMTP, POP3, MySQL, 2001 (Prima's ACA port), domain port.

* Start iptables
/etc/init.d/iptables start

* Set Iptables to start automatically
Chkconfig--level 2345 iptables on

* Shield IP with iptables
Iptables-i rh-lokkit-0-50-input 1-p tcp-m tcp-s 213.8.166.227--dport---syn-j
Note that the difference between and IPChains is:
The parameter of the rule name followed by-I is different from the ipchains, not the unified input, but the one defined in/etc/sysconfig/iptables.
Multi-M TCP
The parameter for the specified port is--dport 80
Multiple--syn parameters, you can automatically detect sync attacks

Use Iptables to prohibit ping:
-A input-p icmp-m ICMP--icmp-type 8-m limit--limit 6/min--limit-burst 2-j ACCEPT
-A input-p icmp-m ICMP--icmp-type 8-j REJECT--reject-with icmp-port-unreachable

Allow an IP connection
-I rh-firewall-1-input 1-p tcp-m tcp-s 192.168.0.51--syn-j ACCEPT

Note: The specific port needs to be modified according to its own network.

Method III, using automatic shielding DDoS attacker IP software: DDoS deflate

, install DDoS deflate

wget http://www.inetbase.com/scripts/ddos/install.sh//download DDoS deflate
Chmod 0700 install.sh//Add Permissions
./install.sh//Executive

2. Configure DDoS Deflate
The following is the default configuration of the DDoS deflate located in/usr/local/ddos/ddos.conf

The contents are as follows:

##### Paths of the script and other files
Progdir= "/usr/local/ddos"
Prog= "/usr/local/ddos/ddos.sh"
Ignore_ip_list= "/usr/local/ddos/ignore.ip.list"//IP address white list
cron= "/etc/cron.d/ddos.cron"//Timed execution procedure
apf= "/etc/apf/apf"
ipt= "/sbin/iptables"
##### frequency in minutes for running the script
##### caution:every time This setting is changed, run the script With–cron
##### option so the new frequency takes effect
Freq=1//Check time interval, default 1 minutes
##### How many connections define a bad IP? indicate that below.
no_of_connections=150//Maximum number of connections, more than this number of IP will be blocked, the general default can be
##### apf_ban=1 (Make sure your APF version is atleast 0.96)
##### apf_ban=0 (Uses iptables for banning IPs instead of APF)
Apf_ban=1//using APF or iptables. It is recommended to use Iptables to change the value of Apf_ban to 0.
##### kill=0 (Bad IPs are ' NT banned, good for interactive execution of script)
##### kill=1 (recommended setting)
Kill=1//Whether shielding IP, the default can
##### an email was sent to the following address when a IP is banned.
##### Blank would suppress sending of mails
email_to= "root"///when IP is blocked to send mail to the specified mailbox, recommended to use, change your own mailbox can
##### number of seconds the banned IP should remain in blacklist.
ban_period=600//Disable IP time, default 600 seconds, according to the situation can adjust the user according to the default profile added to the comment content, modify the configuration file.

The user can modify the configuration file according to the comment content that is added to the default profile.

View line 117th of the/usr/local/ddos/ddos.sh file

Netstat-ntu | awk ' {print $} ' | Cut-d:-f1 | Sort | uniq-c | Sort-nr > $BAD _ip_list

Modify to the following code!

Netstat-ntu | awk ' {print $} ' | Cut-d:-f1 | Sed-n '/[0-9]/p ' | Sort | uniq-c | Sort-nr > $BAD _ip_list

Like toss can use the web stress test software to test the effect, believe that DDoS deflate or can give your VPS or server to protect against a part of DDoS attacks, to your site more protection.