Linux Notes _ Prevent DDoS attacks

Source: Internet
Author: User
Tags set time windows 5

First, what is a Dos attack

DOS is the abbreviation of Denial of service, that is, denial of services, the DOS attack is called Dos attack, the purpose is to make the computer or network can not provide normal service. The most common Dos attacks are computer network bandwidth attacks and connectivity attacks. Bandwidth attack refers to the impact of the network with great traffic, so that all available network resources are exhausted, resulting in legitimate user requests can not be passed. A connectivity attack refers to the impact of a large number of connection requests on the computer, so that all available operating system resources are exhausted, and eventually the computer can no longer process legitimate user requests.

Ii. What is a DDoS attack

Distributed denial of service (ddos:distributed denial of services) attack refers to the use of client/server technology to unite multiple computers as an attack platform to launch a Dos attack on one or more targets, thereby multiplying the power of a denial of service attack. Typically, an attacker would use a theft account to install a DDoS master program on a computer, in which a set time master will communicate with a large number of agents, and the agent is already installed on many computers on the Internet. An agent launches an attack when it receives an instruction. With client/server technology, the master program can activate hundreds of agents within seconds.

Iii. the phenomenon of being attacked by DDoS

1. There is a large number of TCP connections waiting on the attacking host

2, the network is flooded with a lot of useless packets, the source address is false

3, the production of high-flow useless data, causing network congestion, so that the victim host can not be normal and external communication

4, using the service provided by the victim host or the defect on the transmission protocol, repeated high-speed issue of a specific service request, so that the victim host can not handle all normal requests in a timely manner

5, serious will cause the system to panic

Iv. preventing DDoS attacks through Sysctl and iptables

1. Modify Sysctl Parameters

# Sysctl-a | grep IPv4 | grep syn

Net.ipv4.tcp_syn_retries = 5

Net.ipv4.tcp_synack_retries = 5

Net.ipv4.tcp_syncookies = 1

Net.ipv4.tcp_max_syn_backlog = 128

Parameter description:

Net.ipv4.tcp_syncookies: If the function of the SYN cookie is turned on, "1" is on, "2" is turned off.
Net.ipv4.tcp_max_syn_backlog:SYN the length of the queue, increasing the queue length can accommodate more network connections waiting to be connected.
Net.ipv4.tcp_synack_retries and Net.ipv4.tcp_syn_retries: Defines the number of SYN retries.

Add the following to/etc/sysctl.conf, then execute "sysctl-p"!
Net.ipv4.tcp_syncookies = 1
Net.ipv4.tcp_max_syn_backlog = 4096
Net.ipv4.tcp_synack_retries = 2
Net.ipv4.tcp_syn_retries = 2

Increase TCP connectivity Capabilities
Net.ipv4.tcp_rmem = 32768
Net.ipv4.tcp_wmem = 32768
Net.ipv4.sack=0

2. Using Iptables
command:
# Netstat-an | grep ":" | grep established
to see which IP is suspicious ~ For example: 192.168.1.162 This IP connection is more, and very suspicious, do not want it to be connected with 192.168.1.162 again. You can use the command:
iptables-a input-s 192.168.1.162-p tcp-j DROP
discards the package from 192.168.1.162.
for a SYN flood attack that forged the source IP address. The method is not valid
Other references
Prevent sync packet flooding (sync Flood)
# iptables-a forward-p tcp--syn-m limit--limit 1/s-j ACCEPT
someone else is writing .
# iptables-a input-p tcp--syn-m limit--limit 1/s-j ACCEPT
--limit 1/s Limit syn concurrency by 1 times per second, can be modified to prevent various port scans according to your needs
# iptables-a forward-p tcp--tcp-flags syn,ack,fin,rst rst-m limit--limit1/s-j ACCEPT
Ping Flood attack (ping of Death)
# iptables-a forward-p ICMP--icmp-type echo-request-m limit--limit 1/s-jaccept

V. Using DDoS deflate to automatically shield attack IP

DDoS deflate is a free script to defend against and mitigate DDoS attacks. It uses netstat monitoring to track the creation of IP addresses for a large number of network connections, which are banned or blocked by APF or iptables when a node is detected that exceeds a preset limit.
DDoS Deflate official website: http://deflate.medialayer.com/
How can I confirm that I am under a DDoS attack?
Perform:
# Netstat-ntu | awk ' {print $} ' | Cut-d:-f4 | Sort | uniq-c | Sort-n

Execution Result:

1 Address

1 servers)

2

1000 192.168.1.162

Here I am using Apache's AB command to do the concurrency test:

# ab-n 1000-c http://192.168.1.155/index.html

A few, more than 10, or dozens of connections per IP are still relatively normal, if like hundreds of thousands of certain is not normal.
1. Installing DDoS deflate
wget http://www.inetbase.com/scripts/ddos/install.sh

Chmod 0700 install.sh

./install.sh

2. Configuring DDoS deflate The following is the default configuration of the DDoS deflate in/usr/local/ddos/ddos.conf, which reads as follows:
##### Paths of the script and other files
progdir= "/usr/local/ddos"
prog= "/usr/local/ddos/ddos.sh"
ignore_ip_list= "/usr/local/ddos/ignore.ip.list"//IP address white list
cron= "/etc/cron.d/ddos.cron"//Timed execution program
apf= "/etc/apf/apf"
ipt= "/sbin/iptables"
##### frequency in minutes for running the script
##### caution:every time This setting was changed, run the script with--cron
##### Optionso that the new frequency takes effect
freq=1//Check time interval, default 1 minutes
##### How many connections define a bad IP? indicate that below.
no_of_connections=150//maximum number of connections, more than this number of IP will be blocked, the general default can be
##### apf_ban=1 (make sure your APF version is atleast 0.96)
##### apf_ban=0 (Uses iptables for banning IPs instead of APF)
apf_ban=1//using APF or iptables. It is recommended to use Iptables to change the value of Apf_ban to 0.
##### kill=0 (Bad IPs is ' NT banned, good for interactive execution of script)
##### kill=1 (Recommended setting)
kill=1//whether to block IP, by default
##### an e-mail is sent to the following address when a IP is banned.
##### Blank would suppress sending of mails
email_to= "root"//when the IP is blocked to send mail to the designated mailbox, recommended to use, change to their own mailbox
##### number of seconds the banned IP should remain in blacklist.
ban_period=600//Disable IP time, default 600 seconds, can be adjusted according to the situation
3. Options
/usr/local/ddos/ddos.sh-h//view options
/usr/local/ddos/ddos.sh-k N//Kill the connection with a number of connections greater than N. n defaults to the no_of_connections of the configuration file
/usr/local/ddos/ddos.sh-c//Create an execution plan according to the configuration file

4, timed execution, once per minute

# Vim/etc/cron.d/ddos.cron

Shell=/bin/sh

0-59/1 * * * * root/usr/local/ddos/ddos.sh>/dev/null 2>&1
5. Uninstall
wget Http://www.inetbase.com/scripts/ddos/uninstall.ddos
Chmod 0700 Uninstall.ddos
./uninstall.ddos
Six, if the server is Nginx, you can do the following to prevent DDoS attacks

1. Open nginx Access log
log_format access ' $remote _addr-$remote _user [$time _local] "$request"
' $status $body _bytes_sent ' $http _referer '
' "$http _user_agent" $http _x_forwarded_for '; #设置日志格式
#access_log/dev/null;
access_log/usr/local/nginx/logs/access.log access;
2. Observe nginx log
More/usr/local/nginx/logs/access.log
See which IP repeats are serious.
(1) Characteristics of the agent
For example: MSIE 5.01
Configure Nginx
Location /{
if ($http _user_agent ~* "MSIE 5.01") {

#proxy_pass http://www.google.com;

return 500;

#access_log/home/logs/1.log main;
}
}
adding IP to iptable
iptables-a input-s 202.195.62.113-j DROP
I found the attack when agent +ddos
the search IPs are proxy addresses. The last part of the log is a real IP (many repetitions).
How to view user_agent
in the Address bar, enter:
Javascript:alert (navigator.useragent)
The carriage return will pop up the useragent of the currently used browser.
Ps:ie and the user-agent of Firefox
"mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) "(ie6.0)
mozilla/4.0 (compatible; MSIE 8.0;; trident/4.0;. NET CLR 2.0.50727; CIBA) (ie8.0)
mozilla/5.0 (Windows; U Windows NT 5.1; ZH-CN; rv:1.9.2.12) gecko/20101026firefox/3.6.12
Note: All Windows NT 5.1 is included.
"mozilla/4.0 (compatible; MSIE 6.0; Windows 5.1) "(This should be the attacker using user_agent).

Reference article: http://czmmiao.iteye.com/blog/1616837

Reference Video: Linux Cloud computing cluster Architect "Learning God It Education"

Linux Notes _ Prevent DDoS attacks

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.