How to check for and stop DDoS attacks on Linux
Jack Wallen walks you through some of the steps you can take to check for and mitigate distributed denial of service attacks on a Linux server.
Recently I wrote a piece on how to detect and stop a DoS attack on Linux. DoS stands for denial of service, which is a very common attack on servers that can render them unusable until the issue is mitigated.
There’s another, similar, type of attack, called the distributed denial of service (DDoS) that is more challenging to discover and stop. This type of attack uses the same idea behind the denial of service attack, only it distributes the attack over a number of servers. Instead of seeing your server get pummeled by a single address, that pummeling comes from a distributed collection of servers. Where you might have one source hitting your server thousands of times, you could have a thousand servers hitting your server just a few times.
I’m going to show you how you can check for and stop DDoS attacks on your Linux servers. I’ll warn you, DDoS mitigation is not nearly as easy as is with DoS. In fact, with DDoS, you’ll have to not only use the netstat command, you’ll also have to know your network very well and be able to make some assumptions about the nature of the discovered connections.
In other words, DDoS mitigation isn’t cut and dry.
SEE: Identity theft protection policy (TechRepublic Premium)
What you’ll need
- A Linux server
- A user with sudo privileges
How to check for subnets
The first thing you want to check for is connections from common subnets (/16 or /24 being the most commonly used). Log in to your Linux server and issue the following command to see what connections are coming in from the same subnet (/16):
netstat -ntu|awk '{print $5}'|cut -d: -f1 -s |cut -f1,2 -d'.'|sed 's/$/.0.0/'|sort|uniq -c|sort -nk1 -r
If the netstat command isn’t found, you’ll need to install it with the command:
sudo apt-get install net-tools -y
You should see a listing of all connections from addresses that contain the same two first octets, such as 192.168.x.x (Figure A).
Figure A
As you can see, I have 13 connections to this server coming from the 192.168.x.x subnet.
To find connections from the /24 subnet, the command would be:
netstat -ntu|awk '{print $5}'|cut -d: -f1 -s |cut -f1,2,3 -d'.'|sed 's/$/.0/'|sort|uniq -c|sort -nk1 -r
The above command would display all connections from the same subnet as the first three octets (such as 192.168.1.x). If you find a large number of connections coming from any one of those subnets, you’ve narrowed your search down a bit.
Another netstat command will list all IP addresses which have connected to the server. This command is:
netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c
You should see a listing of all connected IP addresses and the number of times they’ve connected.
Next, we use netstat to calculate and count the number of connections each IP address makes to your server. That command is:
sudo netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
The above command will actually list out the IP addresses from all subnets that are sending out connection requests for your server.
At this point, you should have a good idea of where the connections are coming from and what IP addresses are associated with those connections. You might have a large number of connections coming from one particular subnet. If that subnet shouldn’t be hitting the server with that level of traffic, chances are pretty good that’s where your DDoS attack is coming from.
How to stop the attacks
This isn’t nearly as easy as checking for and stopping a DoS attack. However, the good news is that once you’ve determined where the DDoS attack is coming from, you stop it in the same way you stopped the DoS attack. Simply run the command:
sudo route add ADDRESS reject
Where ADDRESS is the address in question. With the DDoS attack, you’ll have to run the above command for every suspect address you’ve found using the netstat commands. This could take considerable time, depending on how many machines are attacking your server.
If you’ve found the attacks are all coming from one subnet (one that shouldn’t have access to the server), you can block that entire subnet using iptables, like so:
sudo iptables -A INPUT -s ADDRESS/SUBNET -j DROP
Make sure to substitute ADDRESS/SUBNET with what you’ve discovered is attacking your server.
Another issue to consider is, if those attacks are coming from subnets within your LAN, why those machines are bombarding your server with attacks. If that’s the case, you probably have a much bigger problem on your hands. One of the single best things you can do for those servers is install fail2ban (check out How to install fail2ban on Ubuntu Server 18.04). That tool will help automate the prevention of both unwanted logins and attacks.
Remember, resolving DDoS attacks isn’t quite as simple as it’s DoS cousin. You’ll need to spend some time with the commands to narrow down where the attacks are coming from, but this will be time well spent.
Subscribe to TechRepublic’s How To Make Tech Work on YouTube for all the latest tech advice for business pros from Jack Wallen.