DDOS attack prevention in linux servers


A distributed denial-of-service (DDoS) attack is one in which a bunch of compromised systems attack the target machine/server, thereby causing denial of service for users of the targeted system. The flood of incoming messages to the target system essentially forces it to shut down, thereby denying service to the system to legitimate users.

The most common method of attack is to send a mass saturation of requests for external communication to the target server. These systems are flooded with requests for information from non-users, and often non-visitors to the website. The goal of this attack is to create a large enough presence of false traffic such that legitimate web traffic intended for actual web users is slowed down and delayed. If this type of service becomes too slow, time sensitive information such as live video footage may be rendered entirely useless to legitimate end users.

Denial of service attacks can be problematic, especially when they cause large websites to be unavailable during high-traffic times. Fortunately, security software has been developed to detect DoS attacks and limit their effectiveness or some basic linux commands to be executed to find the if the server is under DDOS attack.

There is one quick linux command via which you can check and confirm if your server is under DDOS attack or not.

netstat -anp |grep ‘tcp\|udp’ | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n

One important thing that you should check is the number of active connections that your server currently has, this can be found from the command shown below and the output value should be less than 500.

netstat -n | grep :80 |wc -l

The above command will show the active connections that are open to your server.

netstat -n | grep :80 | grep SYN |wc -l

There are many attackers present who typically start attack by starting a connection to the server and then do not send an acknowledgement making the server wait till it times out. Result of active connections from the first command will vary but if it shows connections  more than 500, then you will be definitely having attacks against the server. If the result after you ran the second command is 100 or above then you are having problems with sync attack.

You can even block a particular IP on your server. If you wish to block a particular IP on you server, you can use the following command

route add ipaddress reject

Here is one example of how to block a particular IP on the server
for example:

 route add reject

Once you block a paricular IP on the server, you can even crosscheck if the IP is blocked or not by using the following command.

route -n |grep IPaddress

You can also block a IP with iptables on the server by using the following command.

 service iptables restart
 service iptables save

After running the above command, KILL all httpd connection and than restart httpd service by using following command:

killall -KILL httpd
 service httpd startssl


SynFlood Attack

To test syn flood attack use the hping command which is used for testing firewall rules. When attack starts you will see something as follows in /var/log/messages log file.

possible SYN flooding on port 80. Sending cookies.

hping can be run as follows (see man page for more info)

hping -i u1 -S -p 80 x.x.x.x

Syn Flood Protection:

You can turn on syncookies proection for SYN flood attack by adding the following line to /etc/sysctl.conf:

net.ipv4.tcp_syncookies = 1

Another option to set in /etc/sysctl.conf is the following




Also we can limit the number of connections from an IP address to a port at a time by tweaking the variable CONNLIMIT in csf firewall.

CONNLIMIT = "80;75 21;50"

The above settings shows the server only allows 75 connections from an IP address to the port 80 and 50 connections to the port 21.

Enabling this variable in firewall also limits the attack against the server.

Another steps that can serve as a first step for preventing DDOS in case of  Cpanel servers running Apache could be that, the admins can go ahead and install some of the popular Apache Pluggins like “Apachebooster” which may be downloaded from here


There are no revisions for this post.

Tags: , , , ,

No comments yet.

Leave a Reply