Tag Archives: ddos attack prevention

DDoS protection guide – Part 1

What is a DDoS attack ?

DDoS, short for Distributed Denial of Service, is a type of DOS attack where multiple compromised systems — which are usually infected with a Trojan (70% of the time)– are used to target a single system causing a Denial of Service (DoS) attack. Victims of a DDoS attack consist of both the end targeted system and all systems maliciously used and controlled by the hacker in the distributed attack.

In a DDoS attack, the incoming traffic flooding the victim originates from many different sources – potentially hundreds of thousands or more. This effectively makes it impossible to stop the attack simply by blocking a single IP address.

Honestly, it would be so difficult to protect against a DDoS attack. But we can follow some steps to make our servers more watchful against them.

=====================================

CSF firewall can be fine tuned as follows :

If you have a cPanel server, navigate to WHM as : ConfigServer Security & Firewall from WHM >> Firewall Configuration. If you do not use WHM, it would be good if you install CSF and manually plug in the following setting :

Connection Tracking : This option enables tracking of all connections from IP addresses to the server. If the total number of connections is greater than this value then the offending IP address is blocked. This can be used to help prevent some types of DOS attack.

=====================================

If you see your server is a bit on the slower side, check the number of connections to it using the following command.

# netstat -anp |grep 'tcp|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

As a preliminary step, block the IPs which doesn look valid and are offending ones using csf commands.

Another option is to go for the the MOD_EVASIVE module in the httpd configuration.

Mod_evasive is an evasive maneuvers module for Apache to provide evasive action in the event of an HTTP DoS or DDoS attack or brute force attack. It is also designed to be a detection tool and can be easily configured to talk to ipchains, firewalls.

Mod_evasive have got many many options to gun down our requirements to handle the IPs connecting to our server.

Steps to install mod_evasive is given below :

# cd /usr/local/src/

# Download the mod_evasive_xx.xx.tar.gz file

# tar -xvzf mod_evasive_xx.xx.tar.gz

# cd mod_evasive/

# /usr/local/apache/bin/apxs -cia mod_evasive20.c

Now create a file named /usr/local/apache/conf/mod_evasive.conf and add your custom settings.

For eg :

# cat /usr/local/apache/conf/mod_evasive.conf

LoadModule evasive20_module modules/mod_evasive20.so
<IfModule mod_evasive20.c>

DOSHashTableSize 3097

//The hash table size defines the number of top-level nodes for each child’s hash table. Increasing this number will provide faster performance by decreasing the number of iterations required to get to the record, but consume more memory for table space. You should increase this if you have a busy web server. The value you specify will automatically be tiered up to the next prime number in the primes list

DOSPageCount 2

//This is the threshhold for the number of requests for the same page (or URI) per page interval. Once the threshhold for that interval has been exceeded, the IP address of the client will be added to the blocking list

DOSSiteCount 50

//This is the threshhold for the total number of requests for any object by the same client on the same listener per site interval. Once the threshhold for that interval has been exceeded, the IP address of the client will be added to the blocking list

DOSPageInterval 1

//The interval for the page count threshhold; defaults to 1 second intervals

DOSSiteInterval 1

//The interval for the site count threshhold; defaults to 1 second intervals

DOSBlockingPeriod 10

//The blocking period is the amount of time (in seconds) that a client will be blocked for if they are added to the blocking list. During this time, all subsequent requests from the client will result in a 403 (Forbidden) and the timer being reset (e.g. another 10 seconds). Since the timer is reset for every subsequent request, it is not necessary to have a long blocking period; in the event of a DoS attack, this timer will keep getting reset

</IfModule>

Now include the above file inside :

/usr/local/apache/conf/includes/pre_main_global.conf

Include “/usr/local/apache/conf/mod_evasive.conf“

Now rebuild httpd.conf :

# /scripts/rebuildhttpdconf

Now restart apache :

# /scripts/restartsrv httpd

Click here to read more on DDoS and its protection !