Mitigating a SYN Flood / (D)DoS Attack on Your Linux Dedicated Web Server

Posted on December 29th, 2009


Techie Tips & Linux Hosting Tutorials

Technical Blog

SevenL Technical Blog

Hello techies!  It’s your favorite SevenL geek again with another blog.

In this brief blog, I explain how to determine if your dedicated server with SevenL is under a synflood/DoS attack and a few ways of stopping it.  Of course this blog post also applies to people that, for whatever reason, aren’t currently using one of our dedicated hosting servers.

Most of our dedicated web hosting and VPS web hosting customers use the Apache web server for serving web pages. Over the years, Apache has consistently proven itself to be the most popular and free open source webserver in the world. However, one of it’s small pitfalls is its ability to respond to SYNFlood attacks.  Or should I say it’s “inability”. For example, a Syn Flood attack of less than just 10Mbps can easily take your web server and physical dedicated server down, making it difficult to stop the denial of service attack.

Synfloods can target either an IP address or a domain, so if your dedicated hosting server hosts multiple websites you’ll want to know if the attack is directed at a particular domain or at a specific IP address.

Domain Under Synflood / DoS Attack

To help you do that, there are several open source Linux tools to help you, but for now you can start with Apache’s mod_status module. http://httpd.apache.org/docs/2.0/mod/mod_status.html If the DoS attack is directed at a particular domain on your web server, this module will help you determine which domain is under attack by looking at the read requests in your logs for that domain.

IP Address Under Synflood / DoS Attack

The vast majority of the time, it will be your server’s IP address that is the recipient of the attack, as apposed to a specific domain name. The attacker may still be targeting one website in particular, but they’ll usually attack its IP address directly instead of its website address.

Determining The Origin of Attack So You Can Block it

Of course we can’t very well begin to start filtering unwanted traffic before we know either where it’s coming from or where it’s going to, can we.  To help you narrow things down, Linux and Unix systems come with a tool named ‘netstat’. Netstat is one of the most useful tools for Linux networking, in my opinion, as it can be used for so many different things. For now, we’ll stick to how it can help track down where the attack on your dedicated server is coming from.

Log into your server via SSH either as root or as a user that has enough permissions to run the netstat command. This command will give you some details about the origin of your attacker by outputting source IPs with the most connections.

netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n

If you find that there is a massive amount of different IP addresses in the list, it’s possible that your are experiencing a DDoS attack on your dedicated web server. In this case, since the attack is originating from multiple IP addresses it’s not always easy or a good idea to block all of the IP addresses involved. You can identify the target IP address on your dedicated server using the following command.

netstat -n -p TCP | grep SYN_RECV | grep :80

This basically just looks at all TCP traffic in the SYN_RECV state that’s going to port 80, which is the webserver port.

Some Solutions to Resolve the Attack

  • If the attack is not consuming a large amount of bandwidth (speed), you have the option of using DoS-Deflate.

From your command prompt:

wget http://www.inetbase.com/scripts/ddos/install.sh
sh install.sh

  • SevenL offers hardware firewall protection services, which will also help to mitigate future attacks. If you would like more details, please contact your Sales Representative at https://www.7l.com
  • In the event of a DDoS attack, SevenL can block the target IP address, assuming you have multiple IPs on the server. This will allow you to log into your server and review logs etc. If it is a DoS attack, for a small fee SevenL can also block the source IP address on our routers and firewalls.

I hope this blog helps you understand some of the basics of mitigating SYN Flood attacks on your Linux dedicated web server hosts.  Until next time…