Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
As you maybe know DoS stands for "Denial of Service", using up a machines resources in a way it can no longer fulfill its purpose. Depending on how a machine is DoSsed you have a range of direct and indirect measures to try cope with increased or malicious traffic ranging from the SYN cookies sysctl (make the kernel deal with SYN flooding differently), rate limiting, tar-pitting and other packet filtering (let the firewall function as a revolving door of sorts), application level firewall (let mod_security determine if a request is valid), IDS (let an intrusion detection system like Snort or Prelude if traffic has a malicious payload) and (reverse) proxying (buffer traffic to filter and lighten load) to load balancing and multi-colocation (depending on the size of ones wallet). If none of the methods deployed can filter or slow down traffic in a way that the machine can deal with it then you can only route traffic away and sit it out. For a SOHO server that would mean firewalling it or shutting it down, in other situations it might require the ISP to temporarily route traffic to the bit bucket.
In DDoS the first d starts for "distributed" meaning the adversary has access to a structure, a "network inside a network" comprising of thousands to tens of thousands of machines (zombies) to perform the actual attack. In such situations the pressure will be on the ISP to work with routing peers to temporarily route traffic to the bit bucket because at that volume traffic threathens their infrastructure.
As such DDoS attacks can't really be "prevented", it more comes down to a form of "trying to cope with". What's often forgotten to mention is that prevention may well start by not publishing content that works like a red rag on a bull for certain groups (I'm thinking certain pr0n, 88, belief-related content or revisionism, not the average petty "I hate you" site), not bragging about or deliberately taunting people...
How can I check for logs of constant bombardments of DDoS Attackers?
Let's try countering this with some questions: what would a "regular" request look like? In what ways would a DDoS request be different from a regular request?
Originally Posted by prudens
I can just find their IP and ban right?
OK, so you desperately try to telnet (uh) into your server, switch from your unprivileged account to root, try to bring up 'netstat' to get a display of all excessive traffic and all the while more and more requests come in. When you finally remember how to code a oneliner to grep for and drop IP addresses your server gives in and drops your connection... Now. What do you do?..
Once DDoS attacks start you really have to wait it out. I help a message board that is on an off shore account... It gets DDoS attacks a lot because of that, there is nothing we can do but wait... Think of a person getting screamed at by 100x people? Now if you were one of those people and you were trying to tell them to ignore everyone else how well do you think that would work? You might get their attention for a second and then it's lost, just like your connection to your server during a DDoS attack. Think of running a GeF 3 for todays video games, what happens? It locks up...
If a person can acquire more physical resources than your server can handle they can shut it down based off the principal that your server overloads. There are many ways to do DDoS attacks, and there are many ways to cause "less" damage. The reality is nothing can be done, even major websites today get shut down by DDoS attacks: