Managed web hosting services, VPS and dedicated servers offered since 2007. WordPress Hosting plans with Daily Backups and e-Mail Accounts. Live ChatSupport Center Customer Login

How to Stop DDoS Attack on Linux Server

 

There're lots of tools and methods available to stop distributed attacks on Linux servers. A good and reputable web hosting provider should offer DDOS protected server plans with special load balancers, firewalls and advanced DDOS protection tools by defaull. However, due to the nature of distributed attacks, you may have to implement different techniques for the server protection.

The easiest way to prevent DDOS attack on your server is to null route any IP address(es) having more then predefined number of connections to your server. For that, you can create a bash script with the following content :

 

#!/bin/bash

# Null Route IP after more then "Number" connections:

netstat -an | awk -vmax=14 '/tcp/{split($5,a,":"); if(a[1] > 0 && a[1]!="0.0.0.0"){c[a[1]]++}} END{for(ip in c){if(c[ip]>max){print ip}}}' | while read ip; do route add $ip gw 127.0.0.1 lo; done;

Where -vmax=14 is the number of simultaneous connections each IP have established to the server, 14 in this example.
Name this file as "DDOSFirewall.sh" and place it under the /root folder of your server. Make this file executable with following SSH command :

# chmod +x DDOSFirewall.sh

After that, create cron job to run that file every 5 minute by adding following directive in the file /var/spool/cron/root

*/5 * * * * /bin/bash /root/DDOSFirewall.sh

If for some reason our script blocks legitimate IP address, you can easily unblock it with the following SSH command:

# route delete 123.123.123.123 gw 127.0.0.1 lo

Replace 123.123.123.123 with the actual blocked IP address.

Note that null routed IP addresses will be automatically unblocked if you reboot the server.

You can also easily accomplish the same scenario but using iptables module instead null routing the IP, for that replace content of the DDOSFirewall.sh file with the following:

# Drop IP after more then "Number" connections:
netstat -an | awk -vmax=250 '/tcp/{split($5,a,":"); if(a[1] > 0 && a[1]!="0.0.0.0"){c[a[1]]++}} END{for(ip in c){if(c[ip]>max){print ip}}}' | while read ip; do iptables -I INPUT 1 -s "$ip" -j DROP; done;

Where -vmax=250 is the number of simultaneous connections each IP have established to the server, 250 in this example. Adjust -vmax setting according to your server configuration and number of the allowed connection from each IP to your server and make this file executable as suggested above.

While these methods prevent your server to be overloaded, it is advisable to have already DDOS protected VPS hosting delivered straight from the datacenter.

 

 

 

Back To Blog Posts

 

Published on: 05-09-2023

EURO-SPACE on Facebook Share Your Hosting Experience With EURO-SPACE on Twitter Share Your Hosting Experience With EURO-SPACE on LinkedIn