DDoS
Diagnostic
To display how many http connections are open at the moment, enter:
netstat | grep http | wc -l
also
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
You can perform simple
netstat -no
command and take a look how many SYN_RECV and TIME_WAIT active connection active to your server.
View SYN:
netstat -no | grep SYN
Protection
you can set the connection limits for IP with IPTables.
Current setting will limit incoming connections for port 80 up to 3 per 1 ip
iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 3 -j DROP
Make sure NEW incoming tcp connections are SYN packets; otherwise we need to drop them:
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
Force Fragments packets check
iptables -A INPUT -f -j DROP
drop incoming malformed XMAS packets:
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
Drop NULLED packets:
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
Add the limitations to /etc/sysctl.conf
net.ipv4.tcp_max_syn_backlog = 4096 net.ipv4.tcp_synack_retries = 2
You can also use CSF firewall.
Just set next parameter:
CT_LIMIT = 5
>>Also it;s a good idea to close all unused UDP port and allow only UDP to google DNS.
>>If you are using apache httpd server you can install/enable mod_evasive and mod_secure - these modules also can help to prevent DDoS on apache.
>>You can also protect your server with configuring the nginx reverse proxy : http://wiki.vpsget.com/index.php/Nginx_Reverse_Proxy
>>fail2ban could be also used to block DDoSers IP addresses http://wiki.vpsget.com/index.php/Fail2ban
_________________
Testing
To test your server for vulnerability, you can use Backbox Linux, it has a various testing tools preinstalled.
For example, to test your domain for resistance to DDoS attacks you can use slowhttptest which is in Backbox installation. Example command:
slowhttptest -c 1000 -B -g -o output-file-name -i 100 -r 300 -s 10240 -u http://www.example.com/url/page.html -x 20
Another example"
slowhttptest -X -w 500 -k 10 -u http://example.com/ -c 10000 -v -g -o testing
Now here are detailed options:
-a start start value of ranges-specifier for range header test -b bytes limit of range-specifier for range header test -c number of connections limited to 1024 -H, B, or R specify to slow down in headers section or in message body. -R enables range test -g generate statistics in CSV and HTML formats, pattern is slow_xxx.csv/html, where xxx is the time and date -i seconds interval between follow up data in seconds, per connection -l seconds test duration in seconds -o file custom output file path and/or name, effective if -g is specified -r connections per second connection rate -s bytes value of Content-Length header, if -B specified -t verb custom verb to use -u URL target URL, the same format you type in browser, e.g https://host:port/ -v level verbosity level of log 0-4 -x bytes max length of follow up data
You can also make tests with next nmap and hping2:
nmap -v -f FIREWALL-IP nmap -v -sX FIREWALL-IP nmap -v -sN FIREWALL-IP hping2 -X FIREWALL-IP