Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
As you maybe know DoS stands for "Denial of Service", using up a machines resources in a way it can no longer fulfill its purpose. Depending on how a machine is DoSsed you have a range of direct and indirect measures to try cope with increased or malicious traffic ranging from the SYN cookies sysctl (make the kernel deal with SYN flooding differently), rate limiting, tar-pitting and other packet filtering (let the firewall function as a revolving door of sorts), application level firewall (let mod_security determine if a request is valid), IDS (let an intrusion detection system like Snort or Prelude if traffic has a malicious payload) and (reverse) proxying (buffer traffic to filter and lighten load) to load balancing and multi-colocation (depending on the size of ones wallet). If none of the methods deployed can filter or slow down traffic in a way that the machine can deal with it then you can only route traffic away and sit it out. For a SOHO server that would mean firewalling it or shutting it down, in other situations it might require the ISP to temporarily route traffic to the bit bucket.
In DDoS the first d starts for "distributed" meaning the adversary has access to a structure, a "network inside a network" comprising of thousands to tens of thousands of machines (zombies) to perform the actual attack. In such situations the pressure will be on the ISP to work with routing peers to temporarily route traffic to the bit bucket because at that volume traffic threathens their infrastructure.
As such DDoS attacks can't really be "prevented", it more comes down to a form of "trying to cope with". What's often forgotten to mention is that prevention may well start by not publishing content that works like a red rag on a bull for certain groups (I'm thinking certain pr0n, 88, belief-related content or revisionism, not the average petty "I hate you" site), not bragging about or deliberately taunting people...
Hmm, isn't there like a software that disables these constant "attacks"?
If it were that simple, we'd probably never have heard of DDoS. As mentioned, DDoS attacks are generally best managed somewhere upstream (i.e. by working with your ISP).
How can I check for logs of constant bombardments of DDoS Attackers?
Let's try countering this with some questions: what would a "regular" request look like? In what ways would a DDoS request be different from a regular request?
Quote:
Originally Posted by prudens
I can just find their IP and ban right?
OK, so you desperately try to telnet (uh) into your server, switch from your unprivileged account to root, try to bring up 'netstat' to get a display of all excessive traffic and all the while more and more requests come in. When you finally remember how to code a oneliner to grep for and drop IP addresses your server gives in and drops your connection... Now. What do you do?..
You can use fail2ban, but for a serious (as opposed to a few automated script-kiddy break-in attempts), contact your ISP.
It can't be dealt with at the endpoint.
Once DDoS attacks start you really have to wait it out. I help a message board that is on an off shore account... It gets DDoS attacks a lot because of that, there is nothing we can do but wait... Think of a person getting screamed at by 100x people? Now if you were one of those people and you were trying to tell them to ignore everyone else how well do you think that would work? You might get their attention for a second and then it's lost, just like your connection to your server during a DDoS attack. Think of running a GeF 3 for todays video games, what happens? It locks up...
If a person can acquire more physical resources than your server can handle they can shut it down based off the principal that your server overloads. There are many ways to do DDoS attacks, and there are many ways to cause "less" damage. The reality is nothing can be done, even major websites today get shut down by DDoS attacks:
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.