Prevent DDOS Attack in Linux
Apa akan terjadi bila kena attack?
1. Programs run very slowly
2. Services (e.g., HTTP) fail at a high rate
3. Large number of connection requests from different networks
4. User complaints about slow (or no) site access
5. Machine shows a high CPU load
Macam mana nak prevent dari kena attack?
1) Check CPU load and have a large number of httpd usage.
Blessen@work >w
12:00:36 up 1 day, 20:27, 5 users, load average: 0.70, 0.70, 0.57
2) Kira jumlah proses httpd
[root@blessen root]# ps -aux|grep -i HTTP|wc -l
23
3) Determine the attacking network
bash# netstat -lpn|grep :80|awk '{print $5}'|sort
if you have more than 30 connections from single ip, chane are that you
under attack. Identify these networks for later reporting, perhaps by using the
'whois' command.
If more than 5 such hosts/IPs connect from the same network, that's a very
clear sign of DDoS.
4) Block the attacking network
iptables -A INPUT -s <Source IP> -j DROP
Edit /etc/apf/deny_hosts.rules for apf
===========================================================
5) How to prevent this issue later.
http://www.rfxnetworks.com/apf.php
http://freshmeat.net/projects/aide/
6) Implement Sysctl-based protection. Enable the following in your '/etc/sysctl.conf':
# Enable IP spoofing protection, turn on Source Address Verification
net.ipv4.conf.all.rp_filter = 1
# Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1
7) Conversely, you could add this code to your '/etc/rc.local':
for f in /proc/sys/net/ipv4/{conf/*/rp_filter,tcp_syncookies}
do
echo 1 > $f
done
Sunday, January 25, 2009
Prevent DDOS Attack in Linux
Subscribe to:
Post Comments (Atom)
0 comments:
Post a Comment