introduction
DDoS (D istributed Denial-o f-S ervice) attacks are among the most common server security threats with a steady year-over-yearincrease in attack frequency and strength. While server owners rarely anticipate DDoS-related threats, attacks can be mitigated by monitoring resources and acting promptly.
This article will show you how to check your Linux server for DDoS attacks and offer quick response tips.
What is a DDoS attack?
A DDoS is an attack in which a malicious actor exhausts all available server resources by overwhelming the network with requests. Unlike the standard DoS attack (Denial orf S ervice), DDoS:
- employs multiple distributed devices, usually owned by unwitting people whose computer was hacked
- It targets multiple devices and network protocols, not just network endpoints
.
.
Below are the three main types of DDoS attacks.
- DDoS application layer (layer 7 attack). It focuses on the software that powers the server, such as Apache and Nginx web servers. This type of DDoS is the most common.
- DDoS protocol. It targets operating systems and firewalls on essential network devices.
- Volumetric DDoS. It generates an overwhelming amount of traffic to consume the available bandwidth and server performance.
How to check if there is a DDoS attack on a Linux server?
Malicious actors use standard network paths to perform DDoS attacks. Therefore, detecting attacks by monitoring network traffic for unusual connections is usually simple. The following sections list the easiest ways to check if your server is experiencing a DDoS attack.
Check the average server load
Check
the average server load
with the uptime: uptime command
The three values shown in the load average represent the
average load over one minute, five minutes, and fifteen minutes, respectively
. A
useful reference number for acceptable server load is the number of threads available on a server. A load equal to or greater than the number of threads may suggest suspiciously high activity.
Enter the following command to check the number of threads available on the server:
grep processor /proc/cpuinfo | wc -l
In this example, the server has 2 threads available. An average load greater than 2 points to an unusually high server load.
Check
network load If your
server is slow but remains accessible over a direct connection (for example, via IPMI), use one of the following tools to inspect your network load
.
BMON BMON
is a bandwidth monitor and speed estimator designed to be easy to use and provide simple data visualization in a text-based environment
.
To start bmon, Type:
BMON Navigate to the
interface you want to inspect with the up or down arrow keys on the keyboard
.
BMON presents real-time information in multiple categories. Navigate through the categories by pressing the left or right arrow key.
nload
The nload utility helps monitor network traffic and bandwidth usage in real time. Start nload by typing: nload
Press the left or right arrow key to navigate to the interface you want to monitor. The utility displays the details of incoming and outgoing network traffic for the chosen interface.
vnStat Like
nload, vnStat is a traffic monitoring utility. The benefit of vnStat is that it keeps hourly, daily, and monthly network traffic logs for the given interface.
Access vnStat by typing: vnstat
The utility
lists all available interfaces by default
. iftop The iftop
utility displays a list of network connections and related network information in an easy-to-use format. By default, the list is organized based on bandwidth usage.
Start iftop
with the following command: iftop
ifstat The ifstat
command generates network interface statistics. By default, displays incoming and outgoing network traffic data for each active interface. Access ifstat by typing: ifstat
Check which
IP addresses are connected to the server
Listing the IP addresses of devices currently connected to your server can help you identify potential threats. The netstat command is a utility that provides an overview of network activity, including information about connections.
The following command uses netstat with the -n, –t, and -u options to create output that contains numeric addresses of TCP and UDP connections. The output is then formatted using the awk, cut, and sort commands.
netstat -ntu|awk ‘{print $5}’|cut -d: -f1 -s|sort|uniq -c|sort -nk1 -r
The final result shows the number of active connections for each connected IP address
.
On busy servers, the list can be very long and difficult to read. You can filter the output to show all connections from the same subnet on one line. The following example combines the IP addresses into the same subnet mask 255.255.0.0.
netstat -ntu|awk ‘{print $5}’|cut -d: -f1 -s |cut -f1,2 -d’.’|sed ‘s/$/.0.0/’|sort|uniq -c|sort -nk1 -r
The output now shows only one line. The number 3 before 10.240.0.0 suggests that three connections come from that IP address.
How to mitigate a DDoS attack on a Linux server?
Once you confirm that a DDoS attack is occurring on the server, a few quick actions can mitigate the damage.
Use the route command to block the attacker’s IP address.
sudo route add [ip-address] reject
Alternatively, use the iptables firewall:
1. Block access to an IP address by typing:
iptables -A INPUT 1 -s [ip address] -j DROP/REJECT
2. Restart the service with:
iptables service restart
3. Save the new rule:
iptables save
4 service. Restart the Web services. For example, if you are running an Apache web server, type:
sudo systemctl restart apache2
The system is now configured to reject traffic from the suspicious IP address
.
Conclusion
This article introduced you to DDoS attacks and provided methods to identify them. In addition, he showed some quick response tips to help you combat the ongoing DDoS attack.
Properly securing a server minimizes the chances of a harmful DDoS attack. Read 21 Security Tips to Protect Your Server to learn more about server security.
