Posted by: Mangesh_Linux_Administrator | August 22, 2010

How to check and stop if DDoS attack

Distributed denial-of-service attacks
In a distributed attack, the attacking computers are often personal computers with broadband connections to the Internet that have been compromised by viruses or Trojan horse programs. These allow the perpetrator to remotely control machines to direct the attack, and such an array of computers is called a botnet. With enough such slave or zombie hosts, the services of even the largest and most well-connected websites can be disrupted.
Denial-of-service attack

A denial-of-service attack (also, DoS attack) is an attack on a computer system or network that causes a loss of service to users, typically the loss of network connectivity and services by consuming the bandwidth of the victim network or overloading the computational resources of the victim system.
Attacks can be directed at any network device, including routers and Web, electronic mail, and Domain Name System servers.

A DoS attack can be perpetrated in a number of ways. There are four basic types of attack:

1) consumption or overload of system or network resources, such as bandwidth, disk space, or CPU time
2) disruption of configuration information, such as routing information
3) disruption of physical network components
4) disruption of normal operating-system functionality by exploiting a software vulnerability.

Attempts to “flood” a network with bogus packets, thereby preventing legitimate network traffic, are the most common form of attack, often conducted by disrupting network connectivity with the use of multiple hosts in a distributed denial-of-service attack or DDoS. Such attacks can consume the resources of intervening systems and networks over which the attack is transmitted. Other than incorrectly formed packets or random traffic, two specific sophisticated means of attack include:

1) a smurf attack, in which ICMP requests are sent to the broadcast address of misconfigured networks, with a faked, or spoofed, source IP Address set to the one of the target
2) a SYN flood, in which bogus SYN requests to a service (often HTTP) cause a server to be overloaded by spawning half-open connections

You can check the current http usage by using these command

top -d2c    or
ps auxf | grep httpd

If you are getting lots of httpd processes, then you have to check if it is a DoS attack and the server is flooded with SYN packets. You can check this by the following command.

netstat -nap | grep SYN | wc -l

If you are getting abnormal numbers then your server is under attack.
You can check from which IPs the SYN packets are coming. Give the following command

netstat -nap | less

You will get all the details of kernel routing table also the IPs from where the packets are coming. If it is coming from any particular IP then you can simply block that IP on the server. Or if its from one network then you will have to block the range of IPs.
If there are multiple IPs which are attacking then you will have to find which site is under attack.
To check this go to /usr/local/apache/domlogs/
Check how stat’s date is defined. Then run the command “date”. Check the current time of the server. Then you have to check which site was under attack before few mins ago. Suppose current time is Jan 1 02:05:50 then run the command

grep “1/Jan/2010:02:01” *

It will show you the list of sites accessed at that time. If you see any particular site is being accessed multiple times, then the site is under attack. You can chnage the time to check if different sites are under attack. You can suspend that site to prevent the server from overloading.

Many times the attack hits a particular IP and all the sites having that IP get attacked. All you have to do is change the IP of those sites and then null-route that IP.

These are the simple steps you have to follow when attack is going on. Obviously you have to use your presence of mind while working on it. You will find many ways to solve this issue.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s


%d bloggers like this: