How to block a DoS attack using 'null route'
PS the below events are just an example and was not an event that took place but are actions you can take in the case of a DoS attack.
- Check for a high load.
This can be done by running the 'uptime' command it should look like this:
xxx load average: 15.08, 18.30, 20.63
- Check who is connected.
if you are not sure if it is a DOS attack, or just a single IP abusing the connection? Issue the following command to list all the IP addresses connected to your server
netstat -tn 2>/dev/null | grep :80 | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr | head
if you want to change the port to check where it says “grep :80” change the number to the desired port, the output should look like this:
215 122.163.226.243
189 114.198.236.100
156 120.63.179.245
38 141.0.9.20
37 49.248.0.2
37 153.100.131.12
31 223.62.169.73
30 65.248.100.253
29 203.112.82.128
29 182.19.66.187
here are the connected IPs and as you can see the top three which I have labeled are taking 150+ connections which should not be the case, what are they trying to do? lets take a look
- null route
215 122.163.226.243
189 114.198.236.100
156 120.63.179.245
I believe the above IPs are the cause of the high load issue, let's null route these IPs so that all the incoming connections from those 3 IPs will be dropped or ignored and see if the problem is solved.
there are 2 commands you can use one is an alternative
Null route command:
route add 122.163.226.243 gw 127.0.0.1 lo
route add 114.198.236.100 gw 127.0.0.1 lo
route add 120.63.179.245 gw 127.0.0.1 lo
Alternative command:
route add -host 122.163.226.243 reject
route add -host 114.198.236.100 reject
route add -host 120.63.179.245 reject
Do not use the IPs entered in the first section as they are just an example change them to the IP/s that have a high load
Then Uses 'netstat -nr' to display all the routes, to make sure they are added to the route table, the output should look like this:
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
114.198.236.100 127.0.0.1 255.255.255.255 UGH 0 0 0 lo
120.63.179.245 127.0.0.1 255.255.255.255 UGH 0 0 0 lo
122.163.226.243 127.0.0.1 255.255.255.255 UGH 0 0 0 lo
Now check the load average to see if the problem has solved, the output should look like this (not exactly):
load average: 1.08, 5.30, 30.63 | as you can see the numbers are much lower than beforehand
For our final step check all the connected IPs again, to see if the attacker’s IPs are gone:
40 141.0.9.20
37 49.248.0.2
36 153.100.131.12
31 223.62.169.73
25 65.248.100.253
29 203.112.82.128
29 182.19.66.187
38 142.0.9.20
28 141.121.9.20
38 141.0.9.201
As you can see they are gone which means this was a success, now this is not a fix that will always work as the route of the problem, if it is just a 'DoS attack' the chances are it will be fixed though and your problem is now solved.
I hope this proved helpful and if you wish to get in contact or want more info/help you can do so at 'informationdot@protonmail.com'
Thank you for your time.