Linux VM DDoS attack prevention on Azure: slow attack

Source: Internet
Author: User
Tags http post

In the previous blog (, we described how to use Apache's module Mod_evasive to set up anti-DDoS attacks, in which The main prevention is the HTTP volume attack, but the DDOS attack way, a lot of tools, a random search to know, we look back, what is called Dos/ddos, see Wikipedia:

"Denial of Service Attacks (denial of servicesAttack, abbreviation:DoS), also known as flood attacks , is a network attack technique designed to deplete the network or system resources of the target computer. , which causes the service to be temporarily interrupted or stopped, causing it to be unavailable to the target customer.

When hackers use two or more compromised computers on the network as "zombies" to launch a "denial-of-service" attack on a particular target, it is called a distributed denial of service attack (distributed Denialof service attack, Abbreviation:DDoS). According to 2014 statistics, the attacks that were identified as mass DDoS have reached an average of 28 times per hour. [1] attack initiators typically attack critical services, such as banks, credit card payment gateways, or even root-name servers. "

Attack methods can be divided into:

Bandwidth consumption type attacks (DDoS bandwidth consumption attacks can be divided into two different levels; flooding or amplification attacks. )

  • User Datagram Protocol ( UDP) Floods

  • ICMP floods

  • ping of Death ( Ping)

  • Tear drops attack

Resource consumption attacks

  • Protocol Analysis Attack ( SYN flood, SYN Flood)

  • Land attack

  • CC attack

  • Zombie cyber attack

  • application level floods (application flood attack)

If you summarize the type of attack, you will find that the main things are:

    • Application-level DDoS attacks

    • Protocol layer DDoS attacks (Udp/icmp/syn, etc.)

    • Magnitude DDoS attacks (botnet/cc, etc.)

The latter two, now most of the DDoS devices can be protected, but the application level of DDoS will be more troublesome, difficult to protect, the blog post introduced in the actual is a kind of attack, based on HTTP volume attack prevention, belonging to a large number of fast attack class There is a more common application attack called slow attack (slow HTTP DDOS), on the contrary, is slow connection, consumes all your resources, more famous such as Slowloris.

For the first, the rationale is to detect traffic and access frequency, and to block IP

For the second type, use Netstat to detect the connection state, and then add the attack address to the iptable, denying access

Today we introduce the second way of prevention tools, do not need us to write scripts, there is an open source software can help us to do, the software is called DOS Deflate, this software is a French god Zaf ([email protected ]) developed, the basic principle is described above. Use the CentOS6.5 seating demo environment in this article:

1. Prepare the catalogue:

$sudo mkdir-p/usr/local/src/


$sudo mkdir DDoS


2. Download DOS deflate software

$ sudo wget

650) this.width=650; "src=" Http:// "title=" 9install.png "alt=" Wkiol1y2hlsrw-fpaahgnifhuta310.jpg "/>

3. Installing the Software

650) this.width=650; "src=" Http:// "title=" 10installsoftware.png "alt=" Wkiom1y2hy7wrymaaaeulkcurck884.jpg "/>

4. After the installation is complete, the software needs to be further configured:

$ sudo vi/usr/local/ddos/ddos.conf

4.1 You need to check that the configuration path is consistent with your actual environment, and this test remains the same:

##### Paths of the script and other files

Progdir= "/usr/local/ddos"

Prog= "/usr/local/ddos/"

Ignore_ip_list= "/usr/local/ddos/ignore.ip.list"

cron= "/etc/cron.d/ddos.cron"

apf= "/etc/apf/apf"

ipt= "/sbin/iptables"

4.2 The value definition of the Freq parameter, the DDoS script time is executed once, using the Linux crontab service, which is performed 1 minutes by default:


4.3 No_of_connections is the definition you think, if it is a DDoS slow attack client, will establish how many connections to not your resources, the default is 150, I changed him to 70


The 4.4 DDOS deflate supports two types of firewall APF and iptables, and we use iptables in this test, so we change the value to 0:


4.6 Defines whether you use interactive mode to handle the attack IP, if the inverse selection of interaction, will only send you an email, we set to 1

##### kill=0 (Bad IPs is ' NT banned, good for interactive execution of script)

##### kill=1 (Recommended setting)


4.6 Email Notification Address:

email_to= "[Email protected]"

4.7 How long will this banned IP be closed, in seconds

##### number of seconds the banned IP should remain in blacklist.


5. After all the configuration is complete, we restart the service:

650) this.width=650; "src=" Http:// "title=" 11startservice.png "alt=" Wkiom1y2jfljcohdaaciiqtkey0507.jpg "/>

6. After the configuration is complete, we need to test the effect, light said not practice is not true Bashi Ah, DDoS attack tools are very many, common have the following:

    • Hoic (High Orbit Ion Canon)

    • LOIC (Low Orbit Ion Canon)

    • Xoic

    • R-u-dead-yet

    • Pyloris


    • GoldenEye HTTP denial of Service Tool

    • Slowloris HTTP Dos

Most of the downloads so far are not available, such as Hoic,slowloris, I found some can do test to share to everyone:

Slow Http test: &q=



This test demo, using the latter, can do slow attack

6.1 First check the status of the current iptables:

650) this.width=650; "src=" Http:// "title=" 12iptablespresent.png "alt=" Wkiom1y20bibslncaadmidw-ovc390.jpg "/>

You can see everything is OK, then just go down and prepare for the attack.

6.2 Configure the IP address you want to attack, set the number of attack connections, time and other information, start a slow attack

650) this.width=650; "src=" Http:// "title=" 13preparetoattack.png "alt=" Wkiom1y20fmttyz_aagdnadpcwo677.jpg "/>

650) this.width=650; "src=" Http:// "title=" 14slowattack.png "alt=" Wkiom1y20moceq4aaaeulh5o8po851.jpg "/>

6.3 We will remember that we set the attack detection time is 1 minutes, after an attack for a period of time, we monitor the status of Iptables, we can see that the IP address of the attack was detected, and banned:

650) this.width=650; "src=" "title=" 15.png "alt=" Wkiol1y20bgj1x0jaaeolryqfwy477.jpg "/>

6.4 Final attack blocked, unable to connect

650) this.width=650; "src=" "title=" 16.png "alt=" Wkiol1y20hbdd7ruaagjou-b5pa892.jpg "/>

You can see that this setting is very effective in preventing slow attacks, and you can try it out in a practical way.

Linux VM DDoS attack prevention on Azure: slow attack

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.