{"id":8723,"date":"2020-06-01T19:06:58","date_gmt":"2020-06-01T16:06:58","guid":{"rendered":"https:\/\/unihost.com\/help\/?p=8723"},"modified":"2023-10-09T16:40:18","modified_gmt":"2023-10-09T13:40:18","slug":"web-server-protection-against-ddos-attacks","status":"publish","type":"post","link":"https:\/\/unihost.com\/help\/web-server-protection-against-ddos-attacks\/","title":{"rendered":"Web server protection against DDoS attacks"},"content":{"rendered":"

DDoS attack<\/a> on your web server can have the most unpleasant consequences for your infrastructure. Each attack should be considered as a separate case, and in the case of DDoS on your server, we recommend involving a qualified system administrator to solve this problem. In this article we will try to consider the most basic methods of preventing common attacks on web servers Apache\/Nginx.<\/span><\/p>\n

Apache<\/span><\/strong><\/h2>\n

For this web server, the Ddos attack begins with the revelation of a large number of apache processes, your server may become unavailable due to exceeding the maximum number of processes, or due to shortage of RAM.<\/span><\/p>\n

Let’s look at the sequence of actions and recommendations in case you encounter an attack.<\/span><\/p>\n

\u00a0\u00a0\u00a0\u00a0\u00a01.Diagnostics<\/span><\/p>\n

If possible, you need to connect to the server via <\/span>ssh<\/b>. Using the <\/span>ps<\/b> and <\/span>top<\/b> commands, you can detect an increase in the number of httpd processes. In this case, you can stop apache or kill all httpd processes.<\/span><\/span><\/p>\n

These commands will help determine the direction and status of all connections that are established on port 80 or on all ports:<\/span><\/p>\n

netstat -na | grep ':80 '<\/span><\/i><\/span>\n\nnetstat -na<\/span><\/i><\/span><\/pre>\n
Using the following commands, you can view the number of httpd processes and the number of connections on port 80. If a connection is detected that exceeds the average, you can\u00a0 review that it is a DoS \/ DDoS attack.<\/span><\/p>\n
ps aux | grep -\u0441 httpd<\/span><\/i><\/span>\n\nnetstat -na | grep -\u0441 \":80 \"<\/span><\/i><\/span><\/pre>\n
The Centos 7 operating system does not have the netstat command in the\u00a0 image, but you can install netstat with the command:<\/span><\/p>\n
yum instal net-tools<\/span><\/i><\/span><\/pre>\n
You can also use an alternative method, the <\/span>ss<\/b> command, which during output displays all connections to the web server:<\/span><\/span><\/p>\n
ss -o '( dport = :http or sport = :http )'<\/span><\/i><\/span><\/pre>\n
With the following command, you can display the number of connections from one IP address to the web server and sort the list in ascending order:<\/span><\/p>\n
ss -o '( dport = :http or sport = :http )' | awk '{print $6}' | cut -d : -f 1 | grep -v 'Address' | sort | uniq -c | sort -n\u00a0<\/span><\/i><\/span><\/pre>\n
With a high probability, http flood can be determined by side signs. With the following command, you can cause every 2 seconds to display a list of apache logs, and if there is a big increase with the size of the access file, you can determine that the attack goes to a particular site:<\/span><\/p>\n
watch 'ls -laS \/var\/www\/httpd-logs\/'<\/span><\/i><\/span><\/pre>\n
The following commands can help detect DoS \/ DDoS using <\/span>tcpdump<\/b>.<\/span><\/span><\/p>\n
tcpdump<\/b> will write the first 200 packets that are waiting for connections on port 80 to the check.log file:<\/span><\/span><\/p>\n
tcpdump -n port 80 -c 200 -w check.log<\/span><\/i><\/span><\/pre>\n
With this command you can parse the log file and sort it by ip and number of connections:<\/span><\/p>\n
tcpdump -nr check.log | awk '{print $3}' |grep -oE '[0-9]{1,}\\.[0-9]{1,}\\.[0-9]{1,}\\.[0-9]{1,}' |sort |uniq -c |sort -rn<\/span><\/i><\/span><\/pre>\n
\u00a0\u00a0\u00a0\u00a0\u00a02.Actions to stop the attack<\/span><\/p>\n
First of all, you need to determine which site the attack is on.<\/span><\/p>\n
Apache has a mod_status module, mod_status allows real-time monitoring of server load.<\/span><\/p>\n