WHAT IS DDOS ATTACK?
In cyber world, denial of service attack is an attempt to make a computer or network resource unavailable to its intended users. A distributed denial of service (DDoS) attack is a variant of such attack that employs two or more attacking computers from different sources to overwhelm the target with bogus traffic. The common motivations behind a DDoS attack are extortion, disruption of competitor’s reputation, hacktivism, etc. Basically, DDoS attack attempts to consume both network bandwidth and server resources of the targeted organisation. Large scale DDoS attack is often performed by botnets which can co-opt numerous infected computers, which usually spreading across different points around the world, to unwittingly participate in the attack.
HOW TO DETECT DDOS ATTACK ?
Monitor internal network traffic and usage of server resources, such as Domain Name Server (DNS) and web server, to detect early traffic spikes and abnormal utilisation of system resources.
Work with Internet Service Providers (ISPs) or security service providers to monitor your Internet traffic at their operation centre.
In this article, I'll show you a manually way to protect your linux server from DDOs attack , first of all when your server is going down due to a DDOS attack the first thing you need to know is the striker IP address , so to do this i have a couple of commands :
First one :
-------------------
netstat -n|grep :80|awk {'print $5'}| cut -f1 -d: | sort | uniq -c
-------------------
second one :
-------------------
netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
-------------------
Third One :
-------------------
netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n | tail
-----------------
Those command are basicaly to show you the stricker ip addres and to know whos attacking your server , once you use one of them u'll have a liste contain a lot of ip addresses and beside each ip address you will notice a packets that was sent to the server , if the packets are less than 50 it means its a normal connection to your server if it was more than 100 it means that your having a DDOS attack and you must stop it
Now lets stop those kinds of attacks :
First command :
-------------------
iptables -A INPUT -s 0.0.0.0 -j DROP
-------------------
Second command :
-------------------
iptables -I INPUT 1 -p tcp -d 0.0.0.0 --dport 80 -j DROP
-------------------
NOTICE : Change The 0.0.0.0 to the attacker IP address that you want stop.
=====================================================================
