Linux VPS solutions for DDoS attacks

Connect VPS Enter First command

Netstat-anp |awk ' {print $} ' |sort|uniq-c |sort-rn

Here we look at Syn_recv these, see his connection number is not high, good hundreds of, it is possible to be DDoS

The next trace is from which IP emits syn

directive: Netstat-an | grep SYN | awk ' {print $} ' | Awk-f: ' {print $} ' | Sort | uniq-c | Sort-nr | More

Next, keep looking, input instructions.

Netstat-ntu | grep SYN | awk ' {print $} ' | Cut-d:-f1 | Sort | uniq-c | Sort-n more

Netstat-an | grep SYN | awk ' {print $} ' | Awk-f: ' {print $} ' | Sort | uniq-c | Sort-nr | More

After confirming the SYN attack, we're going to change the syn.

To view the default SYN configuration

Input Sysctl-a | grep _syn

Can see, this is I have been configured, you can refer to

Net.netfilter.nf_conntrack_tcp_timeout_syn_sent = 120

NET.NETFILTER.NF_CONNTRACK_TCP_TIMEOUT_SYN_RECV = 60

Net.ipv4.tcp_syn_retries = 3

Net.ipv4.tcp_synack_retries = 3

Net.ipv4.tcp_syncookies = 1

Net.ipv4.tcp_max_syn_backlog = 10240

Tcp_max_syn_backlog is the length of the SYN queue, increasing the length of the SYN queue to accommodate more waiting network connections. Tcp_syncookies is a switch that turns on the SYN Cookie feature to prevent partial SYN attacks. Tcp_synack_retries and Tcp_syn_retries define the number of SYN retry connections, reducing the default parameters to minimize the number of SYN connections.

Modify the method so that the configuration takes effect immediately, without restarting, you can perform

#sysctl-W net.ipv4.tcp_max_syn_backlog=10240

#sysctl-W Net.ipv4.tcp_syncookies=1

#sysctl-W net.ipv4.tcp_synack_retries=3

#sysctl-W net.ipv4.tcp_syn_retries=3

Then you can enter the first command again to see if SYN is descending.