What is DDOS Attack in Linux & How to Prevent

Distributed Denial Of Service (DDOS) is an attempt to attack a host (victim) from multiple compromised machines to various networks. As a result, the targeted service running on the victim will get flooded with the connections from compromised networks and will not be able to handle it. This is accomplished by installing a virus or Trojan on vulnerable machines in a network which will be used to attack the victim system with connection floods.

DDOS attack involves 3 parties: attacker, helper and victim. Here, attacker is the system which is the owner of the DDOS attack, but participates silently by making the helpers active participants. Attacker will find the vulnerable machines in a network and will install the virus/Trojan on it. Using these compromised machines/network, it will attack victim. Because of this coordinated behavior DDOS attack is also known as a co-ordinated attack.

How to detect DDOS attack?

In most the cases, web servers are the ones (Apache) which undergoes DDOS attack. Due to the DDOS attack, you may encounter heavy server load and sites will run very slowly or unresponsive. During DDOS attack, you will be able to see much number of connections from various IP addresses from same or different networks. You can check the number of Apache connections per IP addresses using the following command:

netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort –n

If you see very high number of connections per IP address, you can suspect a DDOS attack. But, in most of the DDOS attacks, attackers are using fewer connections with more number of attacking IP’s. In such cases, checking the total number of active connections will help you to detect DDOS attack. Active Apache connections on a Linux machine can be found by,

netstat -n | grep :80 |wc –l

If the number is too high than the normal situation (say, more than 500), you can suspect a DDOS attack.

Mitigating DDOS attack

1) Using Firewall

If you find the IP addresses with lots of connections, you can go ahead blocking these IP address or IP range in the firewall. It is recommended to install APF or CSF firewall in your Linux machine for easy access control mechanisms. You can block the IP address in APF or CSF as follows:

apf –d ipaddress
csf –d ipaddress

You need to monitor and block the IP address range until the DDOS attack got reduced. Please keep in mind that it is not easy to stop the DDOS attack, but you can make it under control with the help of firewall and the below modules.

2) Using mod_security Apache Module

ModSecurity is an open-source intrusion detection and prevention engine for web applications. It can also be called as web application firewall. It operates embedded into the web server, acting as a powerful umbrella and shielding applications from attacks.

You can get the latest stable release of mod_security from http://www.modsecurity.org/download/.

3) Using mod_evasive Apache module

The Apache module mod_evasive attempts to rectify DDOS attack by blocking an offending IP address after a defined parameter set is met. You need to configure Apache with mod_evasive directives such that if the connection access more than the allowed number of objects within the set time limit, the connection will get automatically blocked for the specific time interval.

Preventing DDOS attack

DDOS attack usually takes place with the help of vulnerable systems. So, it is always recommended to keep all of the server softwares and application up-to-date. Also, make sure that the system is protected with firewalls like APF or CSF. All the systems should be monitored for rootkits with the help of rkhunter, chkrootkit, etc. Also, you can implement sysctl protection by adding the following to /etc/sysctl.conf.

# Enable IP spoofing protection, turn on Source Address Verification
net.ipv4.conf.all.rp_filter = 1
# Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1


In this tutorial, we learned how to detect ddos attack and how to prevent it in Linux. I hope you enjoyed reading this and please leave your suggestions in the below comment section.

3 Comments... add one

Leave a Comment