Wednesday, April 3, 2013

Finding DDOS attacks

Below are some of the useful netstat commands to check during DDOS attack.

To list the connections to the target IPs (server's IP's) use the below command.

Code: [Select]
netstat -alpn | grep :80 | awk '{print $4}' |awk -F: '{print $(NF-1)}' |sort |uniq -c | sort -n

To list the connections from source IP's use the below command:

Code: [Select]
netstat -alpn | grep :80 | awk '{print $5}' |awk -F: '{print $(NF-1)}' |sort |uniq -c | sort -n

Block the IPs with high connection above using CSF or APF firewall.

Code: [Select]
csf -d IP

Code: [Select]
apf -d IP

To see the state of each connection and the value use the below command:

Code: [Select]
netstat -an|grep ":80"|awk '/tcp/ {print $6}'|sort| uniq -c

A sample output would look like:
Quote
root@myloth [~]# netstat -an|grep ":80"|awk '/tcp/ {print $6}'|sort| uniq -c
      2 CLOSE_WAIT
      1 ESTABLISHED
      4 LISTEN


Install necessary modules

You can use tcpdump to identify the attacker too:


tcpdump -v -n -i eth"x" -p host IP_Address

where x can be 0 or 1. If it is a VPS, it can be venet0 too. Check the Output of ifconfig.



Try installing the below Apache modules to mitigate the attack

Quote
DOS-Deflate
mod_security
mod_dosevasive
Enable anti-DOS for APF

Tweaking the kernel

To prevent SYN floods change the below kernel parameters:

Quote
sysctl -w net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_recv=45

sysctl -w net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=332000

sysctl -w net.ipv4.tcp_fin_timeout=15

sysctl -w net.ipv4.tcp_synack_retries=5

sysctl -w net.ipv4.tcp_fin_timeout=15

sysctl -w net.ipv4.tcp_keepalive_time=1500

sysctl -w net.ipv4.tcp_sack=0

sysctl -w net.ipv4.tcp_max_tw_buckets=1440000

sysctl -w net.ipv4.tcp_max_syn_backlog=2048

sysctl -w net.ipv4.tcp_max_syn_backlog=4096

Also increase Apache's MaxClients limit to 500


Further sysctl tweaks

Original values inside ()

Quote
net.ipv4.tcp_fin_timeout=20 (30)
net.ipv4.tcp_keepalive_time = 1800 (3600)
net.ipv4.tcp_fin_timeout=20 (30)
net.ipv4.tcp_keepalive_time=1800 (3600)
net.ipv4.tcp_keepalive_intvl=40 (75)
net.ipv4.tcp_tw_recycle=1 (0)
net.ipv4.tcp_tw_reuse=1 (0)
net.ipv4.tcp_max_syn_backlog=4096 (2048)


Below are some of the recommended Sysctl tweaks for Web server + Database server
Quote
net.ipv4.inet_peer_gc_maxtime = 240 (120)
net.ipv4.inet_peer_maxttl = 500 (600)
net.ipv4.inet_peer_minttl = 80 (120)

No comments:

Post a Comment