Thursday, 22 November 2012

How to check whether Linux server is under DDOS attack

DDOS – Distributed Denial of service attack

DDOS or DOS (Denial of service ) is an attack in the server , where the server  resources  become unavailable to the users. It can be typically defined as the loss of network connectivity and services by consuming the bandwidth and resources of the victim network or overloading the victim server. Attempts to “flood” a network with bogus packets , there by preventing legitimate traffic is the common form of attack.
Beyond this, there are 2 types of  attacks:
  1. Smurf attack  :-  ICMP requests are sent to the broadcast address of misconfigured  network with a faked or spoofed source IP address , set to one of the target.
  2. Syn flood attack :-  Bogus SYN requests to a service ( eg: HTTP) cause the server to be overloaded.
  • Command to check whether the server is under tcp/udp denial of service  attack
# netstat -ntu | grep tcp/udp |  awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n|wc –l
If the output of the command is 2000 or 3000 it is  sure that the server is under DDOS attack.
  • Command to check the IP addresses currently connected to the server
#  netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort –n
When we get a lot of httpd process by running the command top –d2 , then we have to check whether it is a DOS attack and to realize whether the server is flooded with SYN packets.
  • Command to check the SYN packet flood
#  netstat -nap | grep SYN | wc –l
If  the output of the command is an abnormal ( large, say 2000 or 30000) number, then it is sure that the server is under attack.
  • Command to check ,from which IP Addresses the packet arise 
#  netstat –nap | less   
If the attack is coming from a particular IP address ,  we can block the IP address in the server using the following command:
  • Command used to block an IP address in the server
#  route add  <IP address>   reject
  • Command used to check whether the IP address is blocked
# route  -n | grep <IP address>
We can also use iptables to block an IP address in the server
#  iptables –A INPUT 1 –s <IPADDRESS> –j DROP/REJECT
# service iptables save
# service iptables restart
Then kill all httpd connection and then restart the service
# killall  –KILL  httpd
# service  httpd  startssl

  • Checking DDOS in VPS hardware node using tcpdump
# tcpdump -c 300 -v -n -i venet0:0
Anzil Ali Liyakkath

No comments:

Post a Comment