From vpsget wiki
Jump to: navigation, search


Show connections through eth0:

tcpdump -A -i eth0 -s 1500 port not 22

Show outgoing http connections from

tcpdump -An dst port http and src host
watch -n1 lsof -i TCP:80,443 -n

Dump packets to "mycap.pcap" file for analyzing with Wireshark or similar software:

tcpdump -s 0 port http -i eth0 -w mycap.pcap

To display how many http connections are open at the moment, enter:

netstat | grep http | wc -l


netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

You can perform simple

netstat -no

command and take a look how many SYN_RECV and TIME_WAIT active connection active to your server.

View SYN:

netstat -no | grep SYN

View statuses

netstat -tan | awk '{print $6}' | sort | uniq -c

Using ss in centos 7 :

ss -s


you can set the connection limits for IP with IPTables. Current setting will limit incoming connections for port 80 up to 3 per 1 ip

iptables  -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 3 -j DROP

Make sure NEW incoming tcp connections are SYN packets; otherwise we need to drop them:

iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

Force Fragments packets check

iptables -A INPUT -f -j DROP

drop incoming malformed XMAS packets:

iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

Drop NULLED packets:

iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

Add the limitations to /etc/sysctl.conf

net.ipv4.tcp_max_syn_backlog = 4096     
net.ipv4.tcp_synack_retries = 2                

You can also use CSF firewall. Just set next parameter:


>>Also it;s a good idea to close all unused UDP port and allow only UDP to google DNS. >>If you are using apache httpd server you can install/enable mod_evasive and mod_secure - these modules also can help to prevent DDoS on apache.

>>You can also protect your server with configuring the nginx reverse proxy : http://wiki.vpsget.com/index.php/Nginx_Reverse_Proxy

>>fail2ban could be also used to block DDoSers IP addresses http://wiki.vpsget.com/index.php/Fail2ban


To test your server for vulnerability, you can use Backbox Linux, it has a various testing tools preinstalled.
For example, to test your domain for resistance to DDoS attacks you can use slowhttptest which is in Backbox installation. Example command:

slowhttptest -c 1000 -B -g -o output-file-name -i 100 -r 300 -s 10240 -u http://www.example.com/url/page.html -x 20

Another example"

slowhttptest -X -w 500 -k 10 -u http://example.com/ -c 10000 -v  -g -o testing

Now here are detailed options:

-a start start value of ranges-specifier for range header test
-b bytes limit of range-specifier for range header test
-c number of connections limited to 1024
-H, B, or R specify to slow down in headers section or in message body.
           -R enables range test
-g generate statistics in CSV and HTML formats, pattern is slow_xxx.csv/html,
  where xxx is the time and date
-i seconds interval between follow up data in seconds, per connection
-l seconds test duration in seconds
-o file custom output file path and/or name, effective if -g is specified
-r connections per second connection rate
-s bytes value of Content-Length header, if -B specified
-t verb custom verb to use
-u URL target URL, the same format you type in browser, e.g https://host:port/
-v level verbosity level of log 0-4
-x bytes max length of follow up data

You can also make tests with next nmap and hping2:

 nmap -v -f FIREWALL-IP
 nmap -v -sX FIREWALL-IP
 nmap -v -sN FIREWALL-IP
 hping2 -X FIREWALL-IP