Knowledgebase:
How to protect yourself against DoS/DDoS attacks
Posted by Chris E, Last modified by on 01 March 2010 02:34 PM

What isa DoS/DDoS Attack?
---------------------------------

A Denial of Service attack is one of the most simple forms of attack you will encounter when managing a system with an internet connection. The most common type of denial of service attack, is a web based denial of service attack against your webserver. The aim is simply to flood your server with requests until either it crashes, or the network port is saturated to the point where nothing else gets through.

One very important point which people often don't grasp, is that if your server is being flooded (Whether its useless traffic or a high number of packets), you cant mitigate this on a software firewall unless the attack is less than your connection speed. Even if you were to drop the malicious traffic on your server, there is still no room in the "pipe" to get the legitimate data through. This is where a hardware firewall or proxy system is required.

How do I know when I am under attack?
----------------------------------------------

There are a couple of things you may notice when under a Denial of Service attack.

1. Packet loss or increased latency
2. High server load

Check how many connections are being made to your server by IP address. To do this you can use the following:

netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

Chances are if there are IP's listed with 100+ connections to your server, it might be someone upto no good.

How can I ban IPs on my server?
--------------------------------------

Banning IP's is very simple, use the following.

If you have the APF firewall installed:
apf -d xx.xx.xx.xx

If you have the CSF firewall installed:
csf -d xx.xx.xx.xx

If you are just using iptables and don't have APF or CSF installed, use:
iptables -I INPUT 1 -s -j DROP xx.xx.xx.xx

Additional Protection
-----------------------

If you are reguarly suffering from denial of service attacks, a few things you can do are

1. Install a firewall and bruteforce detection agent e.g. APF/BFD or CSF/LFD
2. Install Dos_Deflate to help detect and migitate such attacks
3. Limit the number of connections your server can handle + make sure it can handle that amount of load with stability

(595 vote(s))
Helpful
Not helpful