Wednesday, April 3, 2013

Finding DDOS attacks

Below are some of the useful netstat commands to check during DDOS attack.

To list the connections to the target IPs (server's IP's) use the below command.

Code: [Select]
netstat -alpn | grep :80 | awk '{print $4}' |awk -F: '{print $(NF-1)}' |sort |uniq -c | sort -n

To list the connections from source IP's use the below command:

Code: [Select]
netstat -alpn | grep :80 | awk '{print $5}' |awk -F: '{print $(NF-1)}' |sort |uniq -c | sort -n

Block the IPs with high connection above using CSF or APF firewall.

Code: [Select]
csf -d IP

Code: [Select]
apf -d IP

To see the state of each connection and the value use the below command:

Code: [Select]
netstat -an|grep ":80"|awk '/tcp/ {print $6}'|sort| uniq -c

A sample output would look like:
root@myloth [~]# netstat -an|grep ":80"|awk '/tcp/ {print $6}'|sort| uniq -c
      2 CLOSE_WAIT
      4 LISTEN

Install necessary modules

You can use tcpdump to identify the attacker too:

tcpdump -v -n -i eth"x" -p host IP_Address

where x can be 0 or 1. If it is a VPS, it can be venet0 too. Check the Output of ifconfig.

Try installing the below Apache modules to mitigate the attack

Enable anti-DOS for APF

Tweaking the kernel

To prevent SYN floods change the below kernel parameters:

sysctl -w net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_recv=45

sysctl -w net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=332000

sysctl -w net.ipv4.tcp_fin_timeout=15

sysctl -w net.ipv4.tcp_synack_retries=5

sysctl -w net.ipv4.tcp_fin_timeout=15

sysctl -w net.ipv4.tcp_keepalive_time=1500

sysctl -w net.ipv4.tcp_sack=0

sysctl -w net.ipv4.tcp_max_tw_buckets=1440000

sysctl -w net.ipv4.tcp_max_syn_backlog=2048

sysctl -w net.ipv4.tcp_max_syn_backlog=4096

Also increase Apache's MaxClients limit to 500

Further sysctl tweaks

Original values inside ()

net.ipv4.tcp_fin_timeout=20 (30)
net.ipv4.tcp_keepalive_time = 1800 (3600)
net.ipv4.tcp_fin_timeout=20 (30)
net.ipv4.tcp_keepalive_time=1800 (3600)
net.ipv4.tcp_keepalive_intvl=40 (75)
net.ipv4.tcp_tw_recycle=1 (0)
net.ipv4.tcp_tw_reuse=1 (0)
net.ipv4.tcp_max_syn_backlog=4096 (2048)

Below are some of the recommended Sysctl tweaks for Web server + Database server
net.ipv4.inet_peer_gc_maxtime = 240 (120)
net.ipv4.inet_peer_maxttl = 500 (600)
net.ipv4.inet_peer_minttl = 80 (120)

No comments:

Post a Comment