How to Check if Your Linux Server Is Under DDoS Attack

What is DDOS:

DDoS, or Distributed Denial of Service, is a coordinated attack using one or more IP addresses designed to cripple a website by making its server inaccessible. This is done by overloading a server’s resources and using up all available connections, bandwidth, and throughput. Just like when driving, your travel time from point A to point B will be slower if there’s too much traffic. By flooding a server with more connections than it can handle, the server becomes bogged down, making it unable to process legitimate requests. Even hardy servers can’t handle the number of connections a DDoS can bring.

How to Check for DDos:

If you’re worried that your server is being targeted by a DDoS assault, the first thing you should do is check the load on it. The uptime or top commands, for example, will give you a decent understanding of the server’s current load.

But what constitutes an acceptable load?

That, of course, is dependent on your CPU resources and available threads. In most cases, however, the norm is one point per thread.

To begin, use the two commands below to get your server load and uptime.

grep processor /proc/cpuinfo | wc -l

uptime

 

The load average shows the load across the following time intervals: 1 minute, 5 minutes, and 15 minutes. In this case, a load average of more than 7 would be a cause for concern.

How to Find Out Which IP Addresses Are Connecting to Your Server:

Because most DDoS attacks necessitate connections to your server, you can observe how many and which IP addresses are simultaneously connected to your server. This can be determined using netstat, a tool that displays a variety of information. We’re simply interested in the exact IPs making connections, the quantity of IPs, and potentially the subnets they’re connected to in this case. 

To get started, type the following into your terminal:

netstat -ntu|awk '{print $5}'|cut -d: -f1 -s|sort|uniq -c|sort -nk1 -r

 

This command will return a descending list of which IPs are connected to your server and how many connections each one has if typed correctly. Artifact data may appear in the results as non-IP information, which can be ignored.

Mitigating a DDoS Attack:

Blocking individual IPs can be done with a few simple keystrokes after you know which IPs are hitting your server.

To begin, use the command below, replacing “ipaddress” with the IP address you want to block.

Reject route add IP address:

Once you’ve blocked a certain IP on the server, you may use the following command to see if the IP has been blocked successfully:

route -n |grep ipaddress

You may also use iptables to block an IP address on the server by executing the following commands:

iptables -A INPUT 1 -s IPADDRESS -j DROP/REJECT

service iptables restart

service iptables save

You’ll need to stop all httpd connections and restart httpd services after running this series of commands. This can be done by typing in the following:

killall -KILL httpd

service httpd startssl

If a high number of connections are being made by more than one unknown IP address, either of these steps can be repeated for all offending IPs.

DDoS Using Multiple IPs:

DDoS prevention becomes more difficult as attackers use fewer connections spread across a larger number of attacking IPs. While a denial of service attack from a single IP making numerous connections can be easy to diagnose and fix, DDoS prevention becomes more difficult as attackers use fewer connections spread across a larger number of attacking IPs. Even when your server is under DDoS, you will observe fewer individual connections in these circumstances. These types of attacks have become increasingly widespread as the Internet of Things (IoT) has risen in popularity. Malicious actors have constructed botnets of available IPs by hacking into and using “smart” devices, appliances, and gadgets with internet connectivity. Botnets are networks of available IPs that may be used in coordinated DDoS attacks against specified targets.

To find IPs from the same /16 (xxx.xxx.0.0) subnet, use:

netstat -ntu|awk '{print $5}'|cut -d: -f1 -s |cut -f1,2 -d'.'|sed 's/$/.0.0/'|sort|uniq -c|sort -nk1 -r

 

When entered, this command will display any IP starting with the same two octets: ie. 192.168.xxx.xxx.

To find IPs from the same /24 (xxx.xxx.xxx.0) subnet, use:

netstat -ntu|awk '{print $5}'|cut -d: -f1 -s |cut -f1,2,3 -d'.'|sed 's/$/.0/'|sort|uniq -c|sort -nk1 -r

 

When this command is entered, it will display any IP address that begins with the same three octets: for example, 192.168.1.xxx.