How To Stop A DDOS Attack On Ubuntu

Share

Ddos poster road signHello everyone, how are you all doing today? I am doing great on this Friday night. It rained quite a bit here which was much needed. We haven’t had rain here in at least 3 months despite being, 2 month into the rain season. Right now I am listening to some music on YouTube as usual and on the other tab I am waiting to watch some NBA games, it’s the Cavaliers vs Pelicans, LeBron vs Anthony Davis. Good stuff lol, anyway please read on…

Today we highlight one of the most unfortunate events that happens to people and companies online. DDOS attacks. Anyone who has owned a web business, web site or deals with online servers for at least a few years probably has experienced some sort of DDOS attack on their servers, whether it be a Windows server or a Linux server, they both get targeted.

What Is A DDOS Attack?

DDOS (Distributed Denial Of Service) is an attempt to attack a host (victim) from multiple compromised machines from various networks. As a result, the targeted service running on the victim will get flooded with the connections from compromised networks and will not be able to handle it. This is accomplished by installing a virus or Trojan on vulnerable machines in a network which will be used to attack the victim system with connection floods.

DDOS attack involves 3 parties: attacker, helpers and victim. Here, attacker is the system which is the owner of the DDOS attack, but participates silently by making the helpers active participants. Attacker will find the vulnerable machines in a network and will install the virus/Trojan on it. Using these compromised machines/network, it will attack victim. Because of this coordinated behavior DDOS attack is also known as co-ordinated attack.

Why Do People DDOS Servers?

Tough question to answer because it has more than one answer. Some do it for fun, other do it to cause damage to a competitor/threat and others do it for other reasons that may never make sense to anyone but themselves. That’s just how it is. By the way countries DDOS each other literally 24/7, as we type Governments are trying to exploit each other’s servers, the likes of China and Russia are both involved in some sort of cyber proxy war with US and Europe. Nothing new there. Let us begin the tutorial on how to protect your server against DDOS attacks.

How To Stop DDOS Server Attacks

APACHE BASED ATTACKS

Symptoms of the Apache DDOS or DOS attack:

  • Website(s) serve slow
  • You notice hanging processes
  • Apache Top tells you that the same IP address is requesting a system resource
  • The system resource continues to multiplex, causing more processes to spawn
  • The Command:
    • netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n
  • Says that you have a few too many connections to feel comfortable with.

The end result:

  • Apache goes down
  • System load goes sky high
  • Server stops responding
  • You cant ssh to the server node
  • You’ve lost connectivity completely and a reboot is mandatory in order to restore access to the system

Preventative Measures and Counter Measures:

  • Enable SYN COOKIES at the kernel level
    • echo 1 > /proc/sys/net/ipv4/tcp_syncookies
  • Enable and Configure iptables to prevent the attack or at least work to identify the attack
    • /sbin/iptables -N syn-flood
    • /sbin/iptables -A syn-flood -m limit –limit 100/second –limit-burst 150 -j RETURN
    • /sbin/iptables -A syn-flood -j LOG –log-prefix “SYN flood: “
    • /sbin/iptables -A syn-flood -j DROP
  • Install the APF firewall to work to identify risky behavior
    • APF stands for Advanced Policy Firewall.  Its a rock solid firewall that normally plays nice with iptables.  You can grab a the most recent copy here: https://www.rfxn.com/projects/
  • Install (D)DosDeflate
    • Great software, rock solid, and plays nice with either APF or iptables.  Install and configure the service in seconds using the commands below.  Edit the .conf file to utilize whichever flavor of firewall you’d like to integrate it with.  Set a few configuration settings and you’re done.
    • To Install (D)DosDeflate:
      • wget https://www.inetbase.com/scripts/ddos/install.sh
      • chmod 0700 install.sh
      • ./install.sh
    • If it doesnt workout, its simple to uninstall too.  To uninstall:
      • wget https://www.inetbase.com/scripts/ddos/uninstall.ddos
      • chmod 0700 uninstall.ddos
      • ./uninstall.ddos

Preventing DDOS Attack

DDOS attack usually takes place with the help of vulnerable systems. So, it is always recommended to keep all of the server softwares and application up-to-date. Also, make sure that the system is protected with firewalls like APF or CSF. All the systems should be monitored for rootkits with the help of rkhunter, chkrootkit etc as we mentioned above. Also, you can implement sysctl protection by adding the following to /etc/sysctl.conf.

# Enable IP spoofing protection, turn on Source Address Verification
net.ipv4.conf.all.rp_filter = 1
# Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1

DDOS Help & References Links

Today’s Popular Linux Article: Download Ubuntu Server Guide