What is a DDoS attack ?
DDoS, short for Distributed Denial of Service, is a type of DOS attack where multiple compromised systems — which are usually infected with a Trojan (70% of the time)– are used to target a single system causing a Denial of Service (DoS) attack. Victims of a DDoS attack consist of both the end targeted system and all systems maliciously used and controlled by the hacker in the distributed attack.
In a DDoS attack, the incoming traffic flooding the victim originates from many different sources – potentially hundreds of thousands or more. This effectively makes it impossible to stop the attack simply by blocking a single IP address.
Honestly, it would be so difficult to protect against a DDoS attack. But we can follow some steps to make our servers more watchful against them.
=====================================
CSF ( WHM default firewall ) can be fine tuned as follows :
ConfigServer Security & Firewall from WHM >> Firewall Configuration
Connection Tracking : This option enables tracking of all connections from IP
addresses to the server. If the total number of connections is greater than
this value then the offending IP address is blocked. This can be used to help
prevent some types of DOS attack.
Care should be taken with this option. It’s entirely possible that you will
see false-positives. Some protocols can be connection hungry, e.g. FTP, IMAPD
and HTTP so it could be quite easy to trigger, especially with a lot of
closed connections in TIME_WAIT. However, for a server that is prone to DOS
attacks this may be very useful. A reasonable setting for this option might
be around 300.
=====================================
If you see your server is a bit on the slower side, check the number of connections to it using the following command.
# netstat -anp |grep 'tcp|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
As a preliminary step, block the IPs which doesn look valid and are offending ones using csf commands.
Another option is to go for the the MOD_EVASIVE module in the httpd configuration.
Mod_evasive is an evasive maneuvers module for Apache to provide evasive
action in the event of an HTTP DoS or DDoS attack or brute force attack.
It is also designed to be a detection tool and can be easily configured to talk
to ipchains, firewalls.
Mod_evasive have got many many options to gun down our requirements to handle the
IPs connecting to our server.
Steps to install mod_evasive is given below :
# cd /usr/local/src/
# wget http://www.zdziarski.com/blog/ wpcontent/uploads/2010/02/mod_evasive_1.10.1.tar.gz
# tar -xvzf mod_evasive_1.10.1.tar.gz
# cd mod_evasive/
# /usr/local/apache/bin/apxs -cia mod_evasive20.c
Now create a file named /usr/local/apache/conf/mod_evasive.conf and add your custom settings.
For eg :
# cat /usr/local/apache/conf/mod_evasive.conf
LoadModule evasive20_module modules/mod_evasive20.so
<IfModule mod_evasive20.c>
DOSHashTableSize 3097
((The hash table size defines the number of top-level nodes for each child’s hash table. Increasing this number will provide faster performance by decreasing the number of iterations required to get to the record, but consume more memory for table space. You should increase this if you have a busy web server. The value you specify will automatically be tiered up to the next prime number in the primes list))
DOSPageCount 2
((This is the threshhold for the number of requests for the same page (or URI) per page interval. Once the threshhold for that interval has been exceeded, the IP address of the client will be added to the blocking list))
DOSSiteCount 50
((This is the threshhold for the total number of requests for any object by the same client on the same listener per site interval. Once the threshhold for that interval has been exceeded, the IP address of the client will be added to the blocking list))
DOSPageInterval 1
((The interval for the page count threshhold; defaults to 1 second intervals))
DOSSiteInterval 1
((The interval for the site count threshhold; defaults to 1 second intervals))
DOSBlockingPeriod 10
((The blocking period is the amount of time (in seconds) that a client will be blocked for if they are added to the blocking list. During this time, all subsequent requests from the client will result in a 403 (Forbidden) and the timer being reset (e.g. another 10 seconds). Since the timer is reset for every subsequent request, it is not necessary to have a long blocking period; in the event of a DoS attack, this timer will keep getting reset))
</IfModule>
Now include the above file inside /usr/local/apache/conf/includes/pre_main_global.conf
Include “/usr/local/apache/conf/mod_evasive.conf“
Now rebuild httpd.conf
# /scripts/rebuildhttpdconf
Now restart apache
# /scripts/restartsrv httpd