DDoS
DDoS Protection Service
Apache Website not loading – DDoS
To check if your server is getting DDoS, you can use netstat command.
netstat -anp | grep 'tcp' | awk '{print $5}' | cut -d: -f1 | sort| uniq -c | sort -n
Or
netstat -lantp|egrep ":80 "|awk '{print $5}'|cut -d: -f1|sort|uniq -c|sort -nr|head
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
netstat -alpn | grep :80 | awk '{print $4}' |awk -F: '{print $(NF-1)}' |sort | uniq -c | sort -n
Instead of netstat, you can also use ss command
ss -tan state established | grep ":80\|:443" | awk '{print $4}' | cut -d':' -f1 | sort -n | uniq -c | sort -n
Once you find the offending IP address, you can block it in the firewall.
To Verify if an IP is blocked
iptables -L -n | grep 'IP_ADDR_HERE'
Block Attack with CSF firewall
vi /etc/csf/csf.conf
Set CT_LIMIT to 30, set it back to 100 after attack stop.
CT_LIMIT = "30"
Set SYNFLOOD to 1, set it back to 0 after DDoS attack stop.
SYNFLOOD = "1"