DDOS

DOS Attack

1.DOS (Denial Of service)
* Mostly a SYN based attack ( One way hand shaking)
* Attack is from a particular Ip so we can easily blocked in our software firewall

2. DDOS (Distributed Denial Of Service)

* from Different Geo location attack.
* Fullway hand shake attack , Full request , That is SYN and ACK based
* half tcp connection

A. Need to dected is there is a DDOS
B. How much strong it is
C.Precautions
i. application Level (Ie in the Web server configuration file) We can write a script for the Geo location Ips to block, Set 404 error
ii. System Level. ( Kernel Firewall)
iii. Network Level( Null routing)
Useful commands for DDOS detection
1. pptime
2. free -m
3. ps , example ps aux | grep wc -l

If you the attack is from a particular country you can deny all the connection from that country in your csf firewall.

useful commands:
1. tcpdump -i igb1 -nnn -c 10 dst port 80 host
this is for freebsd cmd where "igb1" is the netwok interface name
2. time tcpdump -i igb1 -nnn -c 1000 dst port 80 host 192.168.0.5 | tail
3. tail -1000 /var/log/nginx_aceess.log | awk '{print $1}' | sort | uniq -c | sort -b -k1 -n | tail
4. netstat -n | awk '{ print $5 }' | cut -d ":" -f 1 | grep "[1-9]" | sort | uniq -c | sort -n

5. awk '{print $5}' /proc/net/ip_conntrack|sort |uniq -c |sort -rn |head -25 | column -t

6. netstat -nt | grep :80 | wc -l

7. tcpdump -A dst 192.168.1.14 -s 500 | grep -i refer

8. tcpdump -i eth0 -vvv -nn -s 1700 -w ddos

~]# tcpdump -nn -vv -r ddos | awk '{print $18}' | awk -F\. '{print $1"."$2"."$3"."$4}' | sort | uniq -c | sort -rn | head -25

9. root@ajeesh [~]# /usr/local/apache/bin/apachectl fullstatus