Shulou(Shulou.com)06/01 Report--

This article mainly introduces how to defend against DDoS attacks in the Linux system, which has a certain reference value. Interested friends can refer to it. I hope you will gain a lot after reading this article. Let's take a look at it.

Distributed denial of Service (Distributed Denial of Service, referred to as DDoS) combines multiple computers as an attack platform, and makes use of malicious programs to launch DDoS attacks on one or more targets through remote connections, which consumes the performance of the target server or network bandwidth, resulting in the server can not provide services normally.

SYN attack uses the principle of 3-way handshake of TCP/IP protocol to send a large number of network packets to establish a connection, but does not actually establish a connection, resulting in the network queue of the attacked server is full and can not be accessed by normal users. The Linux kernel provides several SYN-related configurations. Increasing the SYN queue length can accommodate more network connections waiting for connections. Turning on the SYN Cookie function can prevent some SYN attacks and reduce the number of retries to a certain extent. On the other hand, DDOS interferes with or even blocks normal network communication by overloading the network. Overload the server by submitting a large number of requests to the server. Block a user's access to the server to block the communication of a service with a specific system or individual. It can be prevented by configuring a firewall or using scripting tools.

First, take precautions through sysctl and iptables

Modify sysctl parameters

$sudo sysctl-a | grep ipv4 | grep syn

The output looks like this:

Net.ipv4.tcp_max_syn_backlog = 1024net.ipv4.tcp_syncookies = 0net.ipv4.tcp_synack_retries = 5net.ipv4.tcp_syn_retries = 5net.ipv4.tcp_syncookies: whether to turn on the function of SYN COOKIES. "1" is on and "2" is off. The length of the net.ipv4.tcp_max_syn_backlog:SYN queue. Increasing the queue length can accommodate more network connections waiting to be connected. Net.ipv4.tcp_synack_retries and net.ipv4.tcp_syn_retries: define the number of SYN retries.

Add the following to / etc/sysctl.conf, and then execute "sysctl-p"!

Net.ipv4.tcp_syncookies = 1net.ipv4.tcp_max_syn_backlog = 4096net.ipv4.tcp_synack_retries = 2net.ipv4.tcp_syn_retries = 2

Improve TCP connectivity

Net.ipv4.tcp_rmem = 32768net.ipv4.tcp_wmem = 32768net.ipv4.sack=0

Use the iptables command:

# netstat-an | grep ": 80" | grep ESTABLISHED

To see which IP is suspicious ~ for example, the ip 221.238.196.83 has more connections and is suspicious, and you don't want it to connect to 221.238.196.81 again. You can use the command:

Iptables-An INPUT-s 221.238.196.83-p tcp-j DROP

Discard packets from 221.238.196.83. A SYN FLOOD attack to spoof the source IP address. This method is not valid for other references to prevent synchronous packet flooding (Sync Flood)

# iptables-A FORWARD-p tcp-- syn-m limit-- limit 1max s-j ACCEPT

Some people write.

# iptables-An INPUT-p tcp-- syn-m limit-- limit 1max s-j ACCEPT

-limit 1max s limits the number of syn concurrency once per second. You can modify it to prevent various port scans according to your own needs.

# iptables-A FORWARD-p tcp--tcp-flags SYN,ACK,FIN,RST RST-m limit-- limit 1max s-j ACCEPT

Ping Flood attack (Ping of Death)

# iptables-A FORWARD-p icmp--icmp-type echo-request-m limit-- limit 1Universe s-j ACCEPT II, automatic shielding attack with DDoS deflate

DDoS deflate is a free script to defend against and mitigate DDoS attacks. It creates a large number of IP addresses of network connections through netstat monitoring and tracking. When it detects that a node exceeds the preset limit, the program will prohibit or block these IP through APF or IPTABLES. DDoS deflate official website: how does http://deflate.medialayer.com/ confirm if it has been attacked by DDOS? Execute:

Netstat-ntu | awk'{print $5}'| cut-d:-F1 | sort | uniq-c | sort-n

Here are the results of the test with VPS:

Li88-99 netstat-ntu | awk'{print $5}'| cut-d:-F1 | sort | uniq-c | sort-N1 114.226.1321 174.129.129.237.1571 58.60.118.1421 Address1 servers) 2 118.26.131.783 123.125.2023 220.248.43.1194 117.36.231.2334 119.162.46.1246 219.140.232.1288 220.181.61.31 VPS Detective http://www.vpser .net / 2311 67.215.242.196 # (this looks like an attack)

The number of several, a dozen or dozens of connections per IP is quite normal, but it is definitely not normal if there are hundreds or thousands of connections like above.

1. Install DDoS deflate

Http://www.inetbase.com/scripts/ddos/install.sh / / download DDoS deflatechmod 0700 install.sh / / add permissions. / install.sh / / execute

2. Configure DDoS deflate

The following is the default configuration of DDoS deflate at / usr/local/ddos/ddos.conf, which is as follows:

# Paths of the script and other filesPROGDIR= "/ usr/local/ddos" PROG= "/ usr/local/ddos/ddos.sh" IGNORE_IP_LIST= "/ usr/local/ddos/ignore.ip.list" / / IP address whitelist CRON= "/ etc/cron.d/ddos.cron" / / timer execution program APF= "/ etc/apf/apf" IPT= "/ sbin/iptables" # frequency in minutes for running the script# Caution: Every time this setting is changed Run the script with-- cron# option so that the new frequency takes effectFREQ=1 / / check interval Default is 1 minute # How many connections define a bad IP? Indicate that below.NO_OF_CONNECTIONS=150 / / maximum number of connections. If you exceed this number, IP will be blocked. Generally, you can use APF or iptables by default: # APF_BAN=1 (Make sure your APF version is atleast 0.96) # APF_BAN=0 (Uses iptables for banning ips instead of APF) APF_BAN=1 / /. It is recommended to use iptables. Change the value of APF_BAN to 0. # KILL=0 (Bad IPs are'nt banned, good for interactive execution of script) # KILL=1 (Recommended setting) KILL=1 / / whether to block IP. Default is # An email is sent to the following address when an IP is banned.# Blank would suppress sending of mailsEMAIL_TO= "root" / / send email to specified mailbox when IP is blocked. It is recommended to use You can change to your own mailbox for # Number of seconds the banned ip should remain in blacklist.BAN_PERIOD=600 / / disable IP time. Default is 600 seconds, which can be adjusted according to the situation.

3. Options

/ usr/local/ddos/ddos.sh-h / / View option / usr/local/ddos/ddos.sh-k n / / kill connections with more than n connections. N default to NO_OF_CONNECTIONS/usr/local/ddos/ddos.sh-c / / create an execution plan according to the configuration file

4. Uninstall

Http://www.inetbase.com/scripts/ddos/uninstall.ddoschmod 0700 uninstall.ddos./uninstall.ddos

Some attacks can be mitigated by using the above methods.

If the server is nginx, you can follow the

1. Open the nginx access log

Log_format access'$remote_addr-$remote_user [$time_local] "$request"'$status $body_bytes_sent "$http_referer"'"$http_user_agent" $http_x_forwarded_for'; # set the log format # access_log / dev/null;access_log / usr/local/nginx/logs/access.log access

2. Observe the nginx log

More / usr/local/nginx/logs/access.log

See which ip duplicates are serious. (1) characteristics of agent such as MSIE 5.01 configuration nginx

Location / {if ($http_user_agent ~ * "MSIE 5.01") {# proxy_pass http://www.google.com;return 500 potential accessory log / home/logs/1.log main;}}

Add ip to iptable

Iptables-An INPUT-s 202.195.62.113-j DROP

How to view user_agent enter in the address bar:

_ javascript:alert (navigator.userAgent)

Enter will pop up the useragent of the browser currently in use. User-agent of ps:ie and firefox

"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" (ie6.0) Mozilla/4.0 (compatible; MSIE 8.0;; Trident/4.0; .NET CLR 2.0.50727; CIBA) (ie8.0) Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12 Note: all contain Windows NT 5.1. " Mozilla/4.0 (compatible; MSIE 6.0; Windows 5.1) "(this should be the use of user_agent by attackers)

Thank you for reading this article carefully. I hope the article "how to defend against DDoS attacks in Linux system" shared by the editor will be helpful to everyone. At the same time, I also hope that you will support us and pay attention to the industry information channel. More related knowledge is waiting for you to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.