How to use IPtables to stop common DDOS attacks
DDOS stands for Distributed Denial of Service attack. A distributed attack is an attack from multiple sources. DDOS attacks aim to flood your server and connection with requests which in turn causes a queue of requests whilst the server attempts to service them. This renders your server inaccessible until the server has processed the requests queue. All of our servers, including VPS servers, can handle up to 10 GBPS of traffic requests making it extremely difficult for a DDOS attack targeted at one of our servers to be effective. DDOS mitigation is automatic but some users may want to add some default rules to IPtables to help prevent a DDOS in the first place.
Since CentOS 7 IPtables was replaced by firewalld but IPtables is still available to use. This guide assumes you’re using IPtables. You can add each rule by pasting the rule into a command prompt as the root user.
How To Stop Null Packets
Null packets are flag-less TCP packets. Attackers usually use bot to scan servers for weaknesses in their firewall configuration. These bots produce empty packets and IPtables can be configured to automatically block these types of requests making it hard for a malicious user to find any errors in your firewall configuration.
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
The above rule will tell IPtables to drop (refuse) flag-less packets
How To Stop SYN-Flood Attacks
This type of attack is when a malicious user can connect to your server without sending or receiving any information. The main reason a user would do this is to consume the resources on your server. You can use the rule below to block SYN-Flood attacks
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
How To Stop XMAS Packets
XMAS Packets are malformed packets of data and as a rule of thumb you should block these
sudo iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
Saving your new IPtables Configuration
Debian & Ubuntu
iptables-save > /etc/network/iptables
CentOS & Red Hat Linux
iptables-save > /etc/sysconfig/iptables
To ensure your new IPtables configuration loads on Debian and Ubuntu you should add the following line to the /etc/rc.local file.
How was this article?