How to check whether the Linux server is under DDOS attack or linuxddos

How to check whether the Linux server is under DDOS attack or linuxddos

Address: http://www.phpthinking.com/archives/427

Log on to your server and run the following command as the root user to check whether your server is under DDOS Attack:
netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort –n
This command displays the list of the maximum number of IP addresses that have been logged on to the server.

DDOS becomes more complex, because when attackers use fewer connections and more IP addresses to attack servers, you get fewer connections, even if your server is attacked. It is important to check the active connection information of your server and execute the following command:
netstat -n | grep :80 |wc –l
The above command will show all the active connections that open your server.

You can also use the following command:
netstat -n | grep :80 | grep SYN |wc –l
The results of the valid connection from the First Command will be different, but if it shows that the connection exceeds 500, then there will certainly be a problem.

If the result of the second command is 100 or above, the server may be attacked synchronously.

Once you get a list of IP addresses that attack your server, you can easily block it.

The command below is homogeneous to block IP addresses or any other specific IP addresses:

route add ipaddress reject

Once you organize access from a specific IP address on the server, you can check that the bean curd blocking is effective.

Run the following command:

route -n |grep IPaddress

You can also use the following command to block a specified IP address using iptables.

iptables -A INPUT 1 -s IPADRESS -j DROP/REJECT

service iptables restart

service iptables save

After the preceding command is executed, stop the httpd connection and restart the httpd service.

Run the following command:

killall -KILL httpd

service httpd startssl

What should I do if my server is under DDOS attack?

Host prevention
2.1.1 use network and host scanning tools to detect vulnerabilities
The key to DDoS success is to find computers with weak security defense measures on the Internet. Therefore, security detection tools are often used to detect networks and hosts, identify existing security risks, and provide corresponding countermeasures, which can reduce or even prevent hackers from using the host as a zombie. The security scanning tool can detect and delete DDoS attacks installed by hackers on the host. Security scanning tools should be upgraded with the evolution of attack methods.
2.1.2 use NIDS and sniffer
When the system receives suspicious traffic from an unknown address, the NIDS (Network Intrusion Detection Systems, Network Intrusion Detection system) sends an alarm to remind the system administrator to take timely measures, such as disconnection or reverse tracing. NIDS security policies or rules should be up-to-date and contain the features of the latest attack technology.
Sniffer can be used to identify network attack behaviors at the network level and become the source of NIDS original detection information. For example, when a hacker modifies the data part of an IP package so that it contains some concealed information, the sniffer can detect the information and provide it to relevant personnel for analysis, it is the basis for blocking, distributing malicious traffic, or tracing hackers.
2.1.3 promptly update system patches
There are many vulnerabilities in the existing operating system, which makes it easy for hackers to find backdoors. Therefore, it is important to download and update system patches in a timely manner to defend against hackers.

2.2 network device prevention
Defense on a single machine is mainly to reduce the possibility of being used as a slave machine. taking preventive measures on the router is the key to defending against DDoS attacks. Here we take the Cisco router as an example to analyze how to prevent attacks:
2.2.1 Check each router Packet
In the CEF (Cisco Express Forwarding) table of a vro。, if the route entry of a packet to the network interface does not have the source IP address of the packet, the vro discards the packet. For example, the router receives a source IP address as. b. c. d Data Packet. If the CEF route table is not IP address. b. c. d. If any route is provided (that is, the route required for reverse packet transmission), the router will discard it.
2.2.2 set the SYN packet traffic rate
Many DDoS attacks use SYN flood attacks, so it is necessary to limit the traffic rate of SYN packets on the router. When using this method, you must ensure that the network works properly during measurement to avoid large errors.
Rate-limit output access-group 153 45000000 100000 100000 conform-action
Transmit exceed-action drop
Rate-limit output access-group 152 1000000 100000 100000 conform-action
Transmit exceed-action drop
Access-list 152 permit tcp any host eq www
Access-list 153 permit tcp any host eq www established
2.2.3 deploy policies on vbrs
The network administrator can deploy a filter policy on the VBR:

The ISP-side VBR should only accept the communication from the source address belonging to the client network, while the client network should only accept the communication from the source address not filtered by the client network.
Access Control List of the ISP-side border router:
Access-list 190 permit ip Client network client network mask any
Access-list 190 deny ip any [log]
Interface internal network interface number
Ip access-group 190 in
Access Control List of the client VBR:
Access-lis... the remaining full text>

How does a linux system prevent DDOS attacks?

Squid is a port ing function that can be used to convert port 80. In fact, common DDOS attacks can be used to modify the parameters in/proc/sys/net/ipv4/tcp_max_syn_backlog, the default parameters are usually very small and set to more than 8000. Generally, DDOS attacks can be solved. If it reaches the timeout stage, set/proc/sys/net/ipv4/tcp_fin_timeout to a smaller value.
Everyone is discussing DDOS. I personally think there is no real solution at present. I just want to expand the buffer and defense capabilities and play a psychological tactic with hackers to see who sticks to the end, there are also many practices on the Internet, such as syncookies, which are complex points.
Sysctl-w net. ipv4.icmp _ echo_ignore_all = 1
Echo 1>/proc/sys/net/ipv4/tcp_syncookies
Sysctl-w net. ipv4.tcp _ max_syn_backlog = "2048"
Sysctl-w net. ipv4.tcp _ synack_retries = "3"
Iptables-a input-I eth0-p tcp -- syn-j syn-flood
# Limit 12 connections per second (burst to 24)
Iptables-A syn-flood-m limit -- limit 12/s -- limit-burst 24-j RETURN
In this case, you can try:
Iptbales-a forward-p tcp -- syn-m limit -- limit 1/s-j ACCEPT
VM service providers may be attacked by hackers during operation. Common attacks include SYN and DDOS attacks.
By changing the IP address, it is possible to find the attacked site to avoid the attack, but the service interruption takes a long time. Relatively thorough
The solution is to add a hardware firewall. However, hardware firewalls are expensive. You can consider using Linux
The firewall function provided by the system.
1. resist SYN
SYN attacks use the three-way handshake principle of the TCP/IP protocol to send a large number of network packets that establish connections, but they are not actually
After establishing a connection, the network queue of the attacked server is fully occupied and cannot be accessed by normal users.
The Linux Kernel provides several SYN-related configurations. Run the following command:
Sysctl-a | grep syn
See:
Net. ipv4.tcp _ max_syn_backlog = 1024
Net. ipv4.tcp _ syncookies = 0
Net. ipv4.tcp _ synack_retries = 5
Net. ipv4.tcp _ syn_retries = 5
Tcp_max_syn_backlog is the length of the SYN queue, and tcp_syncookies are a function to determine whether to enable SYN cookies.
Function to prevent some SYN attacks. Tcp_synack_retries and tcp_syn_retries define SYN
Number of retries.
Increasing the length of the SYN queue can accommodate more network connections waiting for connection. Enabling the SYN Cookie function can block some
SYN attacks can also reduce the number of retries.
To adjust the preceding settings, follow these steps:
Increase the SYN queue length to 2048:
Sysctl-w net. ipv4.tc ...... remaining full text>