How to stop DDoS ?

Hello

Hello we at an enterprise maintain a couple of linux servers??

My question

What are the best practices to avoid DDoS ??

Thanks

Install Anti-Dos and talk with your data centre about Flood Gate prevention when an attack is occuring.

Hello GigaNet

Thanks for looking into my post.I'll definately do that.

Thanks once again.

Nice packages on your website

Btw we are into software outsourcing biz.

Whilst ACTUALLY facing a DOS attack, you should locate the domain being attacked and remove the DNS zone for it and restart BIND. That will ease the load to start with. If multiple domains being attacked,

You can run this command:

netstat -n -p|grep SYN_REC | wc -l

It will give you how many SYN_RECV connections you have on the server. If it's above 20 or so, run this command to get the IPs involved:

netstat -n -p | grep SYN_REC | awk '{print $5}' | awk -F: '{print $1}'

And then you can run:

netstat -n -p | grep SYN_REC | awk '{print $5}' | sort -u | awk -F: '{print "ipdrop "$1 " on"}'

This will take all the IPs involved and ban them.

I would also recommend installing APF (firewall). It's free and it works very well with cPanel servers.

if its a large DDoS you will not stop it with iptables. A null route on the ip will stop that which leaves you hanging in the dust.

It has been explained in details in forum at our site, I think this link would help you; http://www.etechsupport.net/forum/showthread.php?t=434

[Profit|Jacob]

Get yourself a faster datacenter

like ours! :P

5x 10gbit (LEVEL3)
5x 10gbit (COGENT)
1x 10gbit (KPN EURORINGS)
7x 2gbit (Multiple Companies)
10x 1gbit (Multiple Companies)

We get ddos attacks all the time, mostly they do not reach speeds above 2gbit/s.

The best thing a datacenter can do is block the ip ranges, and bypass your server.

Install and configure firewall. - I suggest APF
Install and configure antidos and Brute Force attack tool (APF with antidos and BFD)
Block the unnesesory ports.
stop the unwanted services
Install and regular run rootkit (chkrootkit and rkhunter)

I would sugeest you to check this URL which will useful:

http://forums.linuxwebadmin.info/ind...opic,20.0.html

Not all datacenter will handle your ddos that is 400mbit big or so.

You may need hardware firewall with your own cross over if you are goign to be ddos quite alot.

You have the option to setup your own hardware firewall such as pix, netscreen, or a fbsd machine that filters packets.

I recommend going to rackspace or gigeserver for ddos solutions.

There's a module in apache to help DDOS attacks a bit the module is named as mod_dosevasive. The link to download the latest stable release is www.nuclearelephant.com/projects/dosevasive/

INSTALLATION

1. wget the file and untar it

2. cd mod_dosevasive

3. Run ./configure --add-module=src/modules/dosevasive/mod_dosevasive.c

4. make

5. make install


With DSO Support, Ensim, or CPanel:

1. $APACHE_ROOT/bin/apxs -iac mod_dosevasive.c

2. Restart Apache

APACHE v2.0
-----------

1. Extract this archive

2. Run $APACHE_ROOT/bin/apxs -i -a -c mod_dosevasive20.c

3. The module will be built and installed into $APACHE_ROOT/modules, and loaded into your httpd.conf

4. Restart Apache


If you need to have a look at some more details and configs please have a look at the link http://www.yourwebsupport.com/sforum...php?topic=48.0

Please comment.