In today’s internet-driven world, having a robust website is crucial for success, whether you are a blogger, an eCommerce shop owner, or a local service provider. As businesses increasingly rely on search engines and web traffic to drive sales, the threat from malicious online actors has become more significant. One common and growing threat is the Distributed Denial of Service (DDoS) attack.
What is a DDoS Attack?
A DDoS, or Distributed Denial of Service attack, is a coordinated effort to disable a website by overwhelming its server with traffic from multiple IP addresses. This surge in traffic depletes the server’s resources, making it inaccessible to legitimate users. Similar to a traffic jam, where too many cars slow down the commute, a server flooded with excessive connections can’t process genuine requests efficiently. Even the most robust servers can succumb to the high volume of connections that a DDoS attack brings.
DDoS attacks can be executed in various ways, such as HTTP floods or Slowloris’ lingering connections, but they all require live connections to the server. Fortunately, these live connections allow you to detect and mitigate an attack in progress.
How to Identify a DDoS Attack
To determine if your server is under a DDoS attack, you need to monitor the server load. Simple commands like uptime
or top
can provide an overview of the current load.
Checking Server Load
The acceptable server load depends on your CPU resources or available threads. Generally, the rule is one load point per thread. Use the following command to find the number of logical processors (threads):
grep processor /proc/cpuinfo | wc -l
To check the server load, use:
uptime
A load average significantly higher than the number of threads may indicate a DDoS attack.
Monitoring Network Traffic
If your server responds well over backend connections but is slow over the public interface, check your network traffic using tools like nload
, bmon
, iftop
, vnstat
, or ifstat
. These tools can be installed via your package manager (apt, yum, etc.).
Identifying Malicious IPs
Since DDoS attacks involve multiple connections to your server, identifying the IP addresses involved is crucial. Use the netstat
command to list IP addresses and their connection counts:
netstat -ntu|awk '{print $5}'|cut -d: -f1 -s|sort|uniq -c|sort -nk1 -r
This command will display a descending list of IPs and the number of connections each has. Unusually high numbers of connections from single IPs may indicate an attack.
Mitigating a DDoS Attack
Once you identify the offending IPs, you can block them using the following commands:
Blocking IPs Using Route
route add ipaddress reject
route -n |grep ipaddress
Blocking IPs Using iptables
iptables -A INPUT 1 -s IPADDRESS -j DROP/REJECT
service iptables restart
service iptables save
After blocking the IPs, restart the HTTP service:
killall -KILL httpd
service httpd start
Repeat these steps for multiple offending IPs if necessary.
Dealing with Multiple IP Attacks
DDoS attacks using fewer connections spread across many IPs can be harder to diagnose. These attacks often leverage botnets, networks of compromised devices, to generate traffic.
Identifying Common Subnets
To identify if many connections are from common subnets, use the following commands:
Finding IPs from the Same /16 Subnet
netstat -ntu|awk '{print $5}'|cut -d: -f1 -s |cut -f1,2 -d'.'|sed 's/$/.0.0/'|sort|uniq -c|sort -nk1 -r
Finding IPs from the Same /24 Subnet
netstat -ntu|awk '{print $5}'|cut -d: -f1 -s |cut -f1,2,3 -d'.'|sed 's/$/.0/'|sort|uniq -c|sort -nk1 -r
If a significant number of connections come from the same subnet, it might indicate a coordinated DDoS attack. Mitigate these attacks using the same steps as for single IP attacks, replicated for many IPs.
Conclusion
These techniques offer quick and effective ways to check for and mitigate DDoS attacks. While more advanced tools are available, familiarizing yourself with these methods can strengthen your defenses and provide valuable insights even when not under attack. Protecting your website from DDoS attacks is crucial to maintaining its availability and ensuring the success of your online presence.