DDoS is a type of attack when numerous requests are sent to the server. The processing of these requests consumes all resources, which slows down or even stops server operation. It is unpleasant because it is sometimes impossible to keep the server functioning without blocking this website, even when the attack entry point is identified.
You can detect such an attack by the number of simultaneous connections using the following command:
netstat -na | grep :80 | wc -l
See the domain that is most often requested by this command:
tcpdump -npi eth0 port domain
If you don’t have many websites and your access credentials are located in one folder, it is convenient to track the attack by viewing the access log size. The following command can display a list of apache logs every 2 seconds. If the size of the top file is increasing rapidly, most likely, this is the website that is under attack.
watch 'ls -laS /var/www/httpd-logs/'
(the path to the folder with access logs may be different depending on the distributive kit and the server control panel used)
To see the last requests in this file, use the command tail file_name. These lines show the IPs that are sending requests.
When the attack entry point is established, you can start blocking IPs sending these requests. The easiest way to do it is by adding a rule into the iptables firewall.
You can also block access from a specific IP using TCP protocol and port 80 by running a command:
iptables -A INPUT -p tcp --dport 80 -s xxx.xxx.xxx.xxx -j DROP
(xxx.xxx.xxx.xxx is the IP to be blocked)
To block access from a certain IP completely, use the command:
iptables -A INPUT -s xxx.xxx.xxx.xxx -j DROP
To see how many rules you added, use:
iptables -L -n --line-numbers
Remove an accidentally blocked IP from the list by running this command:
iptables -D INPUT -s xxx.xxx.xxx.xxx -j DROP
In some cases, attacks are coming from various IPs and subnetworks. In this case, blocking specific IPs has little effect. To keep the server running, it is recommended to completely block access to the attacked website using the “deny from all” directive in the .htaccess file for this website, and also specifying IP 127.0.0.1 in the domain’s A records. This way, requests to your website will be returned to the sender.