Preventing DDOS
Posted: 22 Oct 2014, 09:05
Hi all,
I search some information from internet about how to prevent DDOS attack by CSF firewall and find out the CSF setting and Preventing DDOS aplification open resolver attack:
First, I would like to ask how can I prevent DDOS aplification open resolver attack? Becasue I think that my sever was used by other to attack. ( The hosting company told me and stopped my sever about 2 weeks >.< )
The information as following:
source: anandarajpandey. com/2014/02/10/preventing-ddos-aplification-open-resolver-attack/
Can I do anything in the WHM to prevent DDOS aplification open resolver attack? or any code?
If disable open recursive requests, any funtion cannot use or any problem? e.g. Redirects, Subdomains.
Second, if I set the CSF as following then the sever is better or not.
source: anandarajpandey. com/2014/04/21/how-to-prevent-ddos-attack-by-csf-firewall/
Step 1: open and edit CSF config file.
vi /etc/csf/csf.conf
Settings:
Enable connection tracking
CT_LIMIT =1
Set connection tracking interval.
CT_INTERVAL =30
If you want to get possible ddos attack email then enable it.
CT_EMAIL_ALERT =1
If you want to make IP blocks permanent then set this to 1, otherwise blocks
will be temporary and will be cleared after CT_BLOCK_TIME seconds
CT_PERMANENT = 1
If you opt for temporary IP blocks for CT, then the following is the interval
in seconds that the IP will remained blocked for (e.g. 1800 = 30 mins)
CT_BLOCK_TIME = 1800
If you only want to count specific ports (e.g. 80,443) then add the ports
to the following as a comma separated list. E.g. “80,443”
CT_PORTS = 80,23,443
These settings will be enough for DDOS attacks but if you are getting more attacks even you have above option configured then we can set few more options.
Step 2: Enable distributed attacks
LF_DISTATTACK = 1
Set the following to the minimum number of unique IP addresses that trigger
LF_DISTATTACK
LF_DISTATTACK_UNIQ = 2
Step 3: Enable distributed FTP attacks
LF_DISTFTP = 1
Set the following to the minimum number of unique IP addresses that trigger
LF_DISTFTP. LF_DISTFTP_UNIQ must be <= LF_DISTFTP for this to work
LF_DISTFTP_UNIQ = 3
If this option is set to 1 the blocks will be permanent
If this option is > 1, the blocks will be temporary for the specified number
of seconds
LF_DISTFTP_PERM =1
Step 4: Enable distributed SMTP attacks.
LF_DISTSMTP =1
Set the following to the minimum number of unique IP addresses that trigger
LF_DISTSMTP. LF_DISTSMTP_UNIQ must be <= LF_DISTSMTP for this to work
LF_DISTSMTP_UNIQ =4
If this option is set to 1 the blocks will be permanent
If this option is > 1, the blocks will be temporary for the specified number
of seconds
LF_DISTSMTP_PERM =1
This is the interval during which a distributed FTP or SMTP attack is
measured
LF_DIST_INTERVAL = 300
Thanks all!
I search some information from internet about how to prevent DDOS attack by CSF firewall and find out the CSF setting and Preventing DDOS aplification open resolver attack:
First, I would like to ask how can I prevent DDOS aplification open resolver attack? Becasue I think that my sever was used by other to attack. ( The hosting company told me and stopped my sever about 2 weeks >.< )
The information as following:
source: anandarajpandey. com/2014/02/10/preventing-ddos-aplification-open-resolver-attack/
Can I do anything in the WHM to prevent DDOS aplification open resolver attack? or any code?
If disable open recursive requests, any funtion cannot use or any problem? e.g. Redirects, Subdomains.
Second, if I set the CSF as following then the sever is better or not.
source: anandarajpandey. com/2014/04/21/how-to-prevent-ddos-attack-by-csf-firewall/
Step 1: open and edit CSF config file.
vi /etc/csf/csf.conf
Settings:
Enable connection tracking
CT_LIMIT =1
Set connection tracking interval.
CT_INTERVAL =30
If you want to get possible ddos attack email then enable it.
CT_EMAIL_ALERT =1
If you want to make IP blocks permanent then set this to 1, otherwise blocks
will be temporary and will be cleared after CT_BLOCK_TIME seconds
CT_PERMANENT = 1
If you opt for temporary IP blocks for CT, then the following is the interval
in seconds that the IP will remained blocked for (e.g. 1800 = 30 mins)
CT_BLOCK_TIME = 1800
If you only want to count specific ports (e.g. 80,443) then add the ports
to the following as a comma separated list. E.g. “80,443”
CT_PORTS = 80,23,443
These settings will be enough for DDOS attacks but if you are getting more attacks even you have above option configured then we can set few more options.
Step 2: Enable distributed attacks
LF_DISTATTACK = 1
Set the following to the minimum number of unique IP addresses that trigger
LF_DISTATTACK
LF_DISTATTACK_UNIQ = 2
Step 3: Enable distributed FTP attacks
LF_DISTFTP = 1
Set the following to the minimum number of unique IP addresses that trigger
LF_DISTFTP. LF_DISTFTP_UNIQ must be <= LF_DISTFTP for this to work
LF_DISTFTP_UNIQ = 3
If this option is set to 1 the blocks will be permanent
If this option is > 1, the blocks will be temporary for the specified number
of seconds
LF_DISTFTP_PERM =1
Step 4: Enable distributed SMTP attacks.
LF_DISTSMTP =1
Set the following to the minimum number of unique IP addresses that trigger
LF_DISTSMTP. LF_DISTSMTP_UNIQ must be <= LF_DISTSMTP for this to work
LF_DISTSMTP_UNIQ =4
If this option is set to 1 the blocks will be permanent
If this option is > 1, the blocks will be temporary for the specified number
of seconds
LF_DISTSMTP_PERM =1
This is the interval during which a distributed FTP or SMTP attack is
measured
LF_DIST_INTERVAL = 300
Thanks all!