- Limiting the ammount of concurrent connections from the same IP address to your Server.
- Identifying the offending IP.
- And kill the Ongoing TCP Connections with TCPKILL.
- Or use Cutter to kill the connections on any port/Network interface.
- Drop it With Iptables.
- Make the DROP Persistant after a reboot. (iptables save and restore)
- Basic Iptables-save trouble shoot.
- Stop Start Iptables
How to limit the amount of concurrent connections from the same IP address.
This will prevent the simpler DDOS attacks.
$ iptables -I INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --set
$ iptables -I INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 10 -j DROP
$ iptables-save >/etc/iptables.up.rules
How to identify the IP that is attacking you
Issue the following command
$ netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
It will show a list of the current active connections by IP address and the offending IP is usually the one with a high number of connections:
1 127.0.0.1
1 Address
1 servers)
132 201.119.167.193
In the example above the first number is the number of connections followed by the Originating IP address, the results of the netstat command used are sorted by number of connections so your offender is usually at the end, (note that there maybe several offending IPs most of the times from anonymous proxies)
In this case the offending IP is the one with 132 connections.
How to reset iptables to default settings
Step 1 : Set accept all policy to all connections
Using below set of command you will set accept rule for all type of connections.
# iptables -P INPUT ACCEPT
# iptables -P OUTPUT ACCEPT
# iptables -P FORWARD ACCEPT
Step 2 : Delete all existing rules.
Using below set of commands, delete your currently configured rules from iptables.
# iptables -F INPUT
# iptables -F OUTPUT
# iptables -F FORWARD
Or you can do it in single command –
# iptables -F