Introduction
Linux servers are a popular choice for hosting websites and applications due to their flexibility, speed, and reliability. But they are also frequent targets for DDoS (Distributed Denial-of-Service) attacks. If left unprotected, a Linux server can become slow, crash completely, or even be hijacked.
Blocking DDoS attacks on Linux is not about a single solution. It’s about combining multiple layers of protection. With the right tools and steps, you can reduce the risk and keep your server online.
What Happens During a DDoS Attack?
During a DDoS attack, a server is flooded with fake traffic from multiple sources. This overloads the system’s bandwidth, memory, and processing power. Legitimate users are pushed out, and services crash or become unreachable.
Linux servers, especially those exposed to the internet, need to be able to detect and block this kind of traffic quickly.
Key Techniques to Block DDoS Attacks
1. Use Firewall Rules (iptables or nftables)
The built-in firewall in Linux can filter traffic at the network level. iptables and nftables allow you to drop or limit connections from specific IPs.
Example (iptables):
iptables -A INPUT -p tcp --syn -m limit --limit 10/s --limit-burst 20 -j ACCEPT
iptables -A INPUT -p tcp --syn -j DROP
This rule limits new connections to 10 per second and drops excess requests, which can help during a SYN flood.
2. Block IPs with High Request Rates
You can use fail2ban or custom scripts to block IPs that send too many requests in a short time.
Fail2ban monitors logs and automatically bans IPs showing suspicious behavior. It’s lightweight and easy to configure for web servers like Apache or Nginx.
3. Enable SYN Cookies
SYN flood attacks exploit the TCP handshake by sending many half-open connections. Enabling SYN cookies helps defend against this.
To enable:
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
This helps your Linux server handle connection floods more gracefully.
4. Install and Configure ModSecurity
ModSecurity is a Web Application Firewall (WAF) for Apache, Nginx, and other servers. It filters out malicious traffic before it reaches your application.
With ModSecurity, you can block requests based on behavior patterns, known attack strings, and IP reputations.
5. Use Rate Limiting on the Web Server
Limit how many requests a single IP can make within a certain time. Nginx and Apache support rate limiting modules.
Example (Nginx):
limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
limit_req zone=one burst=5;
This restricts clients to 1 request per second with a burst of 5, slowing down any attempt to flood your site.
6. Monitor Network Traffic in Real Time
Use tools like iftop, netstat, or nload to see incoming traffic and detect anomalies.
For more advanced monitoring, consider setting up Netdata, Zabbix, or Nagios to get alerts when traffic patterns change unexpectedly.
7. Install DDoS Protection Tools
There are tools built specifically to prevent or reduce DDoS attacks on Linux:
-
DDoS Deflate: A shell script that monitors connections and bans IPs with excessive requests.
-
CSF (ConfigServer Security & Firewall): Offers advanced IP blocking with DDoS protection and connection tracking.
-
CrowdSec: An open-source behavior-based security engine that blocks bots and malicious traffic based on community-shared threat intelligence.
8. Configure TCP Stack for Better Resilience
Tweak kernel parameters to improve how your server handles traffic.
Add these to /etc/sysctl.conf:
net.ipv4.tcp_syncookies = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_fin_timeout = 15
Then apply:
sysctl -p
These tweaks improve the server's ability to handle floods and filter out spoofed packets.
9. Use a CDN or Reverse Proxy
Services like Cloudflare, Fastly, or Imperva can be used as reverse proxies to absorb and filter traffic before it reaches your Linux server.
They offer DDoS protection as part of their services, hiding your actual server IP and dropping suspicious traffic at the edge.
10. Block Unwanted Ports and Services
Disable any services or ports not needed by your application. Use a strict firewall policy that only allows necessary traffic.
Example:
iptables -P INPUT DROP
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
This ensures that only web traffic is allowed, reducing potential attack vectors.
Prevention Is Better Than Recovery
Once a DDoS attack is underway, recovery becomes difficult. The best way to stay ahead is through:
-
Regular system updates
-
Frequent log reviews
-
Using minimal services and secure configurations
-
Setting up alerts for unusual activity
-
Testing your defense setup
Conclusion
Linux gives you the control and tools to build strong defenses against DDoS attacks. From tuning the kernel to applying firewall rules and using WAFs, it’s all about layering your protection.
While no system is completely immune, preparing your Linux server with the right strategy will reduce downtime and keep your services running when it matters most.
No comments:
Post a Comment