How to Protect a Server from DDoS Attacks
A DDoS attack (Distributed Denial of Service) aims to overwhelm a network with excessive traffic, reducing its performance or causing a complete outage. This is reflected in the term "denial-of-service" (refusal of service).
The frequency and intensity of DDoS attacks have been rising rapidly. A report by Cloudflare noted that in 2021, the number of attacks grew by one-third compared to 2020, with a peak in activity observed in December.
The duration of a DDoS attack can vary. According to research by Securelist:
- 94.95% of attacks end within four hours.
- 3.27% last between 5 to 9 hours.
- 1.05% persist for 10 to 19 hours.
- Only 0.73% of all attacks extend beyond 20 hours.
Effective Tools for Protecting a Server from DDoS Attacks Copy link
If you don't want to rely on vendors' solutions, paid services, or proprietary software, you can use the following tools to defend against DDoS attacks:
- IPTables. A powerful firewall tool available in Linux systems that allows precise control over incoming and outgoing traffic.
- CSF (ConfigServer Security and Firewall). A robust security tool that simplifies managing firewall rules and provides additional protection mechanisms.
- Nginx Modules. Modules specifically designed for mitigating DDoS attacks, such as limiting the number of requests per IP or delaying excessive requests.
- Software Filters. Tools or scripts that analyze and filter traffic to block malicious or excessive requests, helping to maintain service availability.
IPTables. Blocking Bots by IP Address Copy link
The IPTables tool helps protect a cloud server from basic DDoS attacks. Its primary function is to filter incoming traffic through special tables. The resource owner can add custom tables.
Each table contains a set of rules that govern the tool's behavior in specific situations. By default, there are only two response options: ACCEPT (allow access) and REJECT (block access).
In IPTables, it is possible to limit the number of connections. If a single IP address exceeds the allowed number of connections, the tool will block access for that IP. You can extend the tool's functionality with additional criteria:
- Limit: Sets a limit on the number of packet connections within a chosen time period.
- Hashlimit: Works similarly to Limit, but applies to groups of hosts, subnets, and ports.
- Mark: Used to mark packets, limit traffic, and filter.
- Connlimit: Limits the number of simultaneous connections for a single IP address or subnet.
- IPRange: Defines a range of IP addresses that are not considered as a subnet by the tool.
Additionally, IPTables can use criteria such as Owner, State, TOS, TTL, and Unclean Match to set personalized configurations, effectively protecting the resource from DDoS attacks.
The ipset kernel module allows you to create a list of addresses that exceed the specified connection limit. The ipset timeout parameter sets a time limit for the created list, which is enough to ride out a DDoS attack.
ConfigServer Security and Firewall Copy link
While IPTables is a convenient and effective tool, it can be quite complex to configure. You’ll need to learn how to manage it and write additional scripts, and if something goes wrong, your resource may end up being a "closed club" for just a few users.
CSF (ConfigServer Security and Firewall) is a "turnkey" configurator, meaning you only need to set the correct parameters and not worry about the server's security.
Installing the Server Firewall Copy link
The preliminary installation steps involve downloading two additional components required to run CSF: the Perl interpreter and the libwww library. The next step is to install ConfigServer Security and Firewall itself. Since the tool is not available in the official repository, you'll need to download it directly from the provided link or by fetching the ready-made archive:
cd /usr/src
wget https://download.configserver.com/csf.tgzAfter downloading, extract the archive and move it to the defender’s files folder. Then, run the installation process. Once installed successfully, you can proceed with configuring CSF.
Configuring the Server Firewall Copy link
By default, the settings in ConfigServer and Firewall are active for 5 minutes, after which any changes are reset. This test format is useful for conducting experiments and understanding errors in the applied configuration. To switch to live mode, change the Testing value to 0.
Proper configuration of CSF ensures reliable protection against DDoS attacks. Here are some essential commands in CSF:
Specify incoming ports:
TCP_IN = "22,23,25,36,75,87"Specify outgoing ports:
TCP_OUT = "22,23,25,36,75,87"Configure email notifications for SSH connections:
LF_SSH_EMAIL_ALERT = "1"Add an IP address to the exception list (useful for server management teams):
csf -a 192.168.0.7Block a specific IP address from connecting to the server:
csf -d 192.168.0.6Nginx Modules Copy link
How can you protect your server from DDoS attacks using simpler methods? Use Nginx modules like limit_conn and limit_req. The limit_conn module limits the maximum number of connections to the server, while the limit_req module limits the number of requests within a specified time frame.
For example, if you want to limit the number of simultaneous connections to 30 and restrict the number of connections within a 3-second window, the configuration will look as follows:
limit_conn_zone $binary_remote_addr zone=perip: 30m;
limit_req_zone $binary_remote_addr zone=dynamic:30m rate=3r/s;This configuration allows only 3 requests per second. Any additional requests are queued. The burst parameter controls the queue size. For example, if the burst value is set to 7, the module will queue up to 7 requests when the request count exceeds 10, while any further requests will be rejected with an error.
Software Filter Copy link
Server protection against DDoS attacks can also be achieved using web applications. A traffic filter uses JavaScript, which is inaccessible to bots, effectively redirecting DDoS attacks to a placeholder page.
The operation of the filter is simple. The configuration defines conditions for blocking bots, and when a visitor meets those conditions, they are redirected to a placeholder page instead of the requested page. The filter can also specify the reason for the redirection.