Introduction

A DDOS (Distributed Denial of Service) attack can cause high server load, excessive resource usage, and service interruptions. When you suspect that a server is under a DDoS attack, it is important to identify the source of the traffic and take immediate action to minimize the impact on the server.

Prerequisites

  • Root or SSH access to the server
  • Basic knowledge of Linux networking commands
  • APF or CSF firewall installed on the server

Implementation

Few Steps to Be Taken When You Feel That the Server Is Under a DDoS Attack

Step 1

Check the server load using the following command:

w

Step 2

Check which service is utilizing the maximum CPU usage:

nice top

Step 3

Check which IP address is creating the maximum number of connections using the following command:

netstat -anpl | grep :80 | awk ‘{print $5}’ | cut -d”:” -f1 | sort | uniq -c | sort -n

Note:
“print $5” indicates the external IP addresses connected to the server.

Step 4

Check the IP addresses configured on the server that are receiving the maximum connections using the following command:

netstat -alpn | grep :80 | awk ‘{print $4}’ | cut -d: -f1 | sort | uniq -c

or

netstat -alpn | grep :80 | awk ‘{print $4}’ | awk -F: ‘{print $(NF-1)}’ | sort | uniq -c

Note:
“print $4” indicates the IP addresses configured on the server.

Step 5

Block the suspicious IP address using the firewall.

For APF firewall:

apf -d IPADDRESS

For CSF firewall:

csf -d IPADDRESS

Conclusion

By monitoring server load, identifying suspicious connections, and blocking abusive IP addresses using firewall tools such as APF or ConfigServer Security & Firewall, you can reduce the impact of DDOS attacks and improve server stability.

Post Views: 84

Leave a Reply