very little how-to for terminate current type of syn-flood attack

We have syn-flood on three our customer servers and also read many post here about syn-flood attack. After few experiments i post here  simple receipt for terminate current type of syn-flood attack within a few easy steps. This is simple but effective way and it is not require any hardware,software,experience  and etc.

1) If your apache go down, check what's going up  by command:

netstat -na | grep :80

if you see many SYN_RECV connection - congratulation, you have flood attack.

2) In previous step you may see which ip address is targeted. You will need remove it (see next  step)

3) Use command

tcpdump -npi eth0 port domain

(this is command for linux system, on other system command swiches may be different. read manual)

and check which of domains on above ip requested maximum frequent. This is may be a hard for novice, but after around 10-15 minutes, you will found targeted domain.

4) remove this domain from your server and will be best if you change your nameservers for this domain on regisrar control panel to something false.

5) remove targeted ip and give new ip for other domains which was assigned to this ip early.

6) Removed ip will continiusly attacked but because you delete it on server and haven't any site on it, you will not have any problem.

If you have few targeted domain, repeate this procedure again (will be best if you remove any malicious domain simlultaneously on step 4)

That's all. You will terminate DDOS within a half hour.

 

 

 

 

Top