Jul 23 2008

[Linux] Using netstat and iptables to manually detect and blacklist DOSers

Category: Articles,Linux administrationFractalizeR @ 8:35 pm

If you suspect, that your server is flooded, the first thing you need to do is to issue the following command:
netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -nr

This will show you IP addresses  (second column) and the total number of connections from each (first one). If you see, that you have too many connections from some IP address, you can block it by issueing the following command:

iptables -I INPUT -s -j DROP

where is the IP address you want to block. If you need to block the whole subnet, you can use the following:

  • will block the whole 45.165.30.x subnet
  • will block the whole 45.165.x.x subnet
  • will block the whole 45.x.x.x subnet

So the command will look like

iptables -I INPUT -s -j DROP

You can unblacklist address by

iptables -D INPUT -s -j DROP

Also you must ensure if iptables is up and running using

service iptables status

If you will see, that iptables is stopped, you can start it by

service iptables start

You may look at your current iptables entries using

iptables -L -n

You can also clear all iptables rules by issuing a series of commands

iptables -P INPUT ACCEPT
iptables -F
iptables -X

After you added all entries you want to blacklist to iptables, you need to save iptables data so that iptables would load it on next server startup. It can be done using the following command:

service iptables save

You may also want to autostart iptables whenever your system starts by the following command:

chkconfig iptables on

Tags: , , , ,

2 Responses to “[Linux] Using netstat and iptables to manually detect and blacklist DOSers”

  1. Yo Super » Blog Archive » Must Read: Linux Tutorials says:

    […] List iptables to prevent ddos Prevent and Stop DoS or DDoS Attacks on Web Server (D)DOS-Deflate Using netstat and iptables to manually detect and blacklist DOSers Prevent DoS attack in Linux using IPTABLES Defend Your Web Server Against Distributed Denial of […]

Leave a Reply

You must be logged in to post a comment. Login now.