Drop DDOS attack

1. Find.. to which IP address in the server is targeted by the ddos attack

netstat -plan  | grep  :80 | awk ‘{print $4}’ | cut -d: -f1 |sort |uniq -c

2. Find… from which IPs, the attack is coming

netstat -plan  | grep  :80 | awk ‘{print $5}’ | cut -d: -f1 |sort |uniq -c

3. Then find the TTL values of the attacking IP addresses

tcpdump -nn -vvv host xxxx |grep yyy (xxxx = ip attacking and yyyy = ip being attacked)

usually we need only tcpdump -nn -vvv host xxxx (as attack is coming from numerous ips)

4. Now block all the ips matching the TTL value obtained from the above script

iptables -A INPUT -p tcp -s -d yyyy -m ttl –ttl-eq=zzz -j DROP (zzz is the ttl value)


Install mod security and dos evasive


Harden the sysctl parameters (kernel params) to mitigate the current attack.

Increasing the backlog queue size and decreasing the backlog queuing time might help a bit.


Also install an open source script to prevent DDoS attack to certain extend.

MediaLayer was in need of a script to automatically mitigate (D)DoS attacks. The necessity started when MediaLayer was the target of a rather large, consistent attack originating from multiple IP addresses. Each IP would have a large amount of connections to the server, as shown as by:

netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

It became a general practice for us to be blocking IPs with a large amount of connections, but we wanted to get this automated. Zaf created a script mitigate this kind of attack. We kept improving it to meet our own needs and eventually posted it on Defender Hosting’s Forum. (D)DoS-Deflate is now recognized as one of the best ways to block a (D)DoS attack at the software level.

License Agreement

You can view a copy of the license agreement here.


wget http://www.inetbase.com/scripts/ddos/install.sh
chmod 0700 install.sh


wget http://www.inetbase.com/scripts/ddos/uninstall.ddos
chmod 0700 uninstall.ddos

Reference : http://deflate.medialayer.com/



Posted in General discussions, Issues, Scripts, Server Security
One comment on “Drop DDOS attack

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog Stats
  • 128,404 hits

Get every new post delivered to your Inbox.

Join 211 other followers

%d bloggers like this: