Difference between revisions of "DDoS"
Line 50: | Line 50: | ||
--------------- | --------------- | ||
<br> | <br> | ||
− | >>Also it;s a good idea to close all unused UDP port and allow only UDP to google DNS. | + | '''>>'''Also it;s a good idea to close all unused UDP port and allow only UDP to google DNS. |
− | >>If you are using apache httpd server you can install/enable mod_evasive and mod_secure - these modules also can help to prevent DDoS on apache. | + | '''>>'''If you are using apache httpd server you can install/enable '''mod_evasive''' and '''mod_secure''' - these modules also can help to prevent DDoS on apache. |
<br> | <br> | ||
--------------- | --------------- | ||
<br> | <br> | ||
− | >>You can also protect your server with configuring the nginx reverse proxy : http://wiki.vpsget.com/index.php/Nginx_Reverse_Proxy | + | '''>>'''You can also protect your server with configuring the '''nginx reverse proxy''' : http://wiki.vpsget.com/index.php/Nginx_Reverse_Proxy |
<br> | <br> | ||
--------------- | --------------- | ||
<br> | <br> | ||
− | ''>>'' | + | '''>>fail2ban''' could be also used to block DDoSers IP addresses http://wiki.vpsget.com/index.php/Fail2ban |
<br> | <br> | ||
<br> | <br> |
Revision as of 13:38, 15 April 2015
Diagnostic
To display how many http connections are open at the moment, enter:
netstat | grep http | wc -l
also
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
You can perform simple
netstat -no
command and take a look how many SYN_RECV and TIME_WAIT active connection active to your server.
View SYN:
netstat -no | grep SYN
Protection
you can set the connection limits for IP with IPTables.
Current setting will limit incoming connections for port 80 up to 3 per 1 ip
iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 3 -j DROP
Make sure NEW incoming tcp connections are SYN packets; otherwise we need to drop them:
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
Force Fragments packets check
iptables -A INPUT -f -j DROP
drop incoming malformed XMAS packets:
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
Drop NULLED packets:
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
Add the limitations to /etc/sysctl.conf
net.ipv4.tcp_max_syn_backlog = 4096 net.ipv4.tcp_synack_retries = 2
You can also use CSF firewall.
Just set next parameter:
CT_LIMIT = 5
>>Also it;s a good idea to close all unused UDP port and allow only UDP to google DNS.
>>If you are using apache httpd server you can install/enable mod_evasive and mod_secure - these modules also can help to prevent DDoS on apache.
>>You can also protect your server with configuring the nginx reverse proxy : http://wiki.vpsget.com/index.php/Nginx_Reverse_Proxy
>>fail2ban could be also used to block DDoSers IP addresses http://wiki.vpsget.com/index.php/Fail2ban
_________________
Testing
To test your server for vulnerability, you can use Backbox Linux, it has a various testing tools preinstalled.
For example, to test your domain for resistance to DDoS attacks you can use slowhttptest which is in Backbox installation. Example command:
slowhttptest -c 1000 -B -g -o output-file-name -i 100 -r 300 -s 10240 -u http://www.example.com/url/page.html -x 20
Now here are detailed options:
-a start start value of ranges-specifier for range header test -b bytes limit of range-specifier for range header test -c number of connections limited to 1024 -H, B, or R specify to slow down in headers section or in message body. -R enables range test -g generate statistics in CSV and HTML formats, pattern is slow_xxx.csv/html, where xxx is the time and date -i seconds interval between follow up data in seconds, per connection -l seconds test duration in seconds -o file custom output file path and/or name, effective if -g is specified -r connections per second connection rate -s bytes value of Content-Length header, if -B specified -t verb custom verb to use -u URL target URL, the same format you type in browser, e.g https://host:port/ -v level verbosity level of log 0-4 -x bytes max length of follow up data
You can also make tests with next nmap and hping2:
nmap -v -f FIREWALL-IP nmap -v -sX FIREWALL-IP nmap -v -sN FIREWALL-IP hping2 -X FIREWALL-IP