DDoS attack mitigration

Knowledge Base

Understanding and Mitigating DDoS Attacks: A Comprehensive Guide

Written by admin · 2 min read >

In today’s internet-driven world, having a robust website is crucial for success, whether you are a blogger, an eCommerce shop owner, or a local service provider. As businesses increasingly rely on search engines and web traffic to drive sales, the threat from malicious online actors has become more significant. One common and growing threat is the Distributed Denial of Service (DDoS) attack.

What is a DDoS Attack?

A DDoS, or Distributed Denial of Service attack, is a coordinated effort to disable a website by overwhelming its server with traffic from multiple IP addresses. This surge in traffic depletes the server’s resources, making it inaccessible to legitimate users. Similar to a traffic jam, where too many cars slow down the commute, a server flooded with excessive connections can’t process genuine requests efficiently. Even the most robust servers can succumb to the high volume of connections that a DDoS attack brings.

DDoS attacks can be executed in various ways, such as HTTP floods or Slowloris’ lingering connections, but they all require live connections to the server. Fortunately, these live connections allow you to detect and mitigate an attack in progress.

How to Identify a DDoS Attack

To determine if your server is under a DDoS attack, you need to monitor the server load. Simple commands like uptime or top can provide an overview of the current load.

Checking Server Load

The acceptable server load depends on your CPU resources or available threads. Generally, the rule is one load point per thread. Use the following command to find the number of logical processors (threads):

grep processor /proc/cpuinfo | wc -l

To check the server load, use:

uptime
Terminal window showing current uptime and load average of 0.10, 0.05, and 0.06

A load average significantly higher than the number of threads may indicate a DDoS attack.

Monitoring Network Traffic

If your server responds well over backend connections but is slow over the public interface, check your network traffic using tools like nload, bmon, iftop, vnstat, or ifstat. These tools can be installed via your package manager (apt, yum, etc.).

Identifying Malicious IPs

Since DDoS attacks involve multiple connections to your server, identifying the IP addresses involved is crucial. Use the netstat command to list IP addresses and their connection counts:

netstat -ntu|awk '{print $5}'|cut -d: -f1 -s|sort|uniq -c|sort -nk1 -r

This command will display a descending list of IPs and the number of connections each has. Unusually high numbers of connections from single IPs may indicate an attack.

Terminal window showing a list of IPs currently connected to the server

Mitigating a DDoS Attack

Once you identify the offending IPs, you can block them using the following commands:

Blocking IPs Using Route
route add ipaddress reject
route -n |grep ipaddress
Blocking IPs Using iptables
iptables -A INPUT 1 -s IPADDRESS -j DROP/REJECT
service iptables restart
service iptables save

After blocking the IPs, restart the HTTP service:

killall -KILL httpd
service httpd start

Repeat these steps for multiple offending IPs if necessary.

Dealing with Multiple IP Attacks

DDoS attacks using fewer connections spread across many IPs can be harder to diagnose. These attacks often leverage botnets, networks of compromised devices, to generate traffic.

Identifying Common Subnets

To identify if many connections are from common subnets, use the following commands:

Finding IPs from the Same /16 Subnet
netstat -ntu|awk '{print $5}'|cut -d: -f1 -s |cut -f1,2 -d'.'|sed 's/$/.0.0/'|sort|uniq -c|sort -nk1 -r
Terminal window listing IPs starting with the same two octets
Finding IPs from the Same /24 Subnet
netstat -ntu|awk '{print $5}'|cut -d: -f1 -s |cut -f1,2,3 -d'.'|sed 's/$/.0/'|sort|uniq -c|sort -nk1 -r
Terminal window listing IPs starting with the same three octets

If a significant number of connections come from the same subnet, it might indicate a coordinated DDoS attack. Mitigate these attacks using the same steps as for single IP attacks, replicated for many IPs.

Conclusion

These techniques offer quick and effective ways to check for and mitigate DDoS attacks. While more advanced tools are available, familiarizing yourself with these methods can strengthen your defenses and provide valuable insights even when not under attack. Protecting your website from DDoS attacks is crucial to maintaining its availability and ensuring the success of your online presence.

Leave a Reply

Your email address will not be published. Required fields are marked *