Apache: DoS & DDoS Attack
Firstly, what is a DoS or DDoS Attack? A DoS attack is a “Denial of Service” attack which typically is a computer being used to flood a target system or resource in an attempt to overwhelm it thus making the target system unable to service requests. A DDoS attack is a “Distributed Denial of Service” attack which are often global in nature and are distributed via botnets using multiple systems and/or resources to flood a target system. Both are bad.
Unfortunately, it was our turn to deal with a DoS attack. Yesterday the phone rang with a client saying that there LAMP server was performing terribly. After a quick check the Apache httpd service was running hundreds of connections that were sucking the life out of the server.
A quick check of the connections yielded an IP address that did not seem to fit with the traffic pattern for the environment.
netstat -anp |grep ‘tcp\|udp’ | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n
It turned out that an IP address from the Netherlands was hammering the system. So, as a quick fix, the IP address was added to the iptables deny list. The IP Tables Service restarted and the Apache Service restarted and the environment returned to normal operations.
Additional efforts should be taken to blacklist the IP addresses causing issues.