How can we check server is under DDOS attack or not ? What measures to overcome DDOS attack ?

How can we check server is under DDOS attack or not ? What measures to overcome DDOS attack ?

Being a server admin the biggest fear is DDOS attack on server. Today we will learn about DDOS attack, how to identify it and overcome it.
For server admins this article will be really helpful. First we will learn what is DDOS attack.

What is DDOS attack ?
DDOS means "Distributed Denial of Service" attack. DDOS is a type of DOS attack where multiple compromised systems, which are often infected with a Trojan, are used to target a single system causing a Denial of Service (DoS) attack.

How to check it ?
You can simply run a netstat command to check connections with the server :
# netstat -ant | awk '{print $6}' | sort | uniq -c | sort -n
It will give you output like this :

1 established)
1 FIN_WAIT2
1 Foreign
2 FIN_WAIT1
2 LAST_ACK
3 CLOSING
4 SYN_RECV
42 LISTEN
60 ESTABLISHED
126 TIME_WAIT
Here,

1. FIN_WAIT – The socket is closed, and the connection is shutting down.
2. LAST_ACK – The remote end has shut down, and the socket is closed. Waiting for acknowledgement.
3. LISTEN – The socket is listening for incoming connections.
4. ESTABLISHED – This will be legitimate connections established to the server
5. TIME_WAIT – The socket is waiting after close to handle packets still in the network.
6. SYN_SENT – The client will be actively attempting to establish a connection.
7. SYN_RECV – A connection request has been received from the network.

If you found number of connections in SYN_SENT, TIME_WAIT, FIN_WAIT, SYN_RECV are very large in the rate of thousands then it is sure that server is under attack.

Now, the question arises that how can we stop this attack. So now we will learn how to overcome this kind of situation.

Measures to overcome DDOS attack :

Kindly follow the below given steps.

1). First of all we have to tweak the values of SYN_SENT, TIME_WAIT, FIN_WAIT, SYN_RECV in the file "/etc/sysctl.conf".
2). Change the below given value in file "/etc/sysctl.conf".

# Decrease the time default value for tcp_fin_timeout connection
net.ipv4.tcp_fin_timeout = 3

# Enable TCP SYN cookie protection
net.ipv4.tcp_syncookies = 1

# Turn off the tcp_sack
net.ipv4.tcp_sack = 0

# Turn off the tcp_window_scaling
net.ipv4.tcp_window_scaling = 0
3). Now, execute this command.
# sysctl -p
Now, we have to find out whether attack is done from any particular IP or from large number of IP's from different address of compromised servers.
If it is done from some particular IP's then we can blacklist those IP's in our server Firewall. But, if it is from different address of compromised servers then we have to follow some more steps to stop the attack.

we have to check whether attack is done on which particular port. To check it we can run the command (suppose we are having large request on socket SYN_RECV)

# netstat -lpan | grep SYN_RECV | awk ‘{print $4}’ | cut -d: -f2 | sort | uniq -c | sort -nk 1
It will result you the number of connecctions and the port opened in the server. If the second field indicates port 80 then it is clear that the attack is on Apache port.
We can also run this command to check DOS attack on particular port.

# tcpdump -nn -tttt -i any port 80 //You can use another port also to test.
Now we have to do some changes in Apache setting.
4). Increase the MaxClients limit to maximum so that Apache could prevent reaching it's limit.
5). Set Set KeepAlive on to set the KeepAliveTimeout.
6). KeepAliveTimeout value to be reduced to 3 or 5.

MaxClients 500
KeepAlive On
KeepAliveTimeout 3

# /etc/init.d/httpd restart
Once you have confirmed with the port then you have to check on which domain or IP attack is done. For this you can run this command.

# netstat -lpan | grep SYN_RECV | awk ‘{print $4}’ | cut -d: -f1 | sort | uniq -c | sort -nk 1
After being confirm about the attack we have to find out whether the attack is done on a particular domain in that IP or IP as a whole. For which we can check Apache error logs on server. If in the logs you find attack is on a particular domain than you can follow the below given steps to secure it.

7). You can block the connections to the domain using Mod_Security.

8). Due to DDOS attack there will be large number of attempts and blocking them can cause server load. So we have to uncheck Mod_Security in lfd so that server do not go down.

9). Restart CSF after making changes.
10). After that add this rule in Mod_Security config file :
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer “domain-name\.com”
11). To block access to the port 80 of the domain add this rule to csf.conf file :
iptables -I INPUT -p tcp –dport 80 -m string –string “domain-name.com” –algo bm -j DROP
Author
bhawanisingh
Views
3,464
First release
Last update
Rating
0.00 star(s) 0 ratings
Top