Ddos migration & conntrack sessions limit

Now a day ddos attack is a big problem for a busy website. Today I am going to share some command about ddos migration and Limit conntrack sessions on cPanel server. 

Login to SSH and execute following commands with root access:

1.To see what IPs are connecting to server and how many connections exist from each IP:

netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

2.To see how many connections each IP on the server is receiving:

netstat -plan |grep :80 | awk '{print $4}' | cut -d: -f1 | sort | uniq -c | sort -n

3.Get total current active connections to Apache:

netstat -apn | grep :80 | wc -l

Get Apache status update from command line to see which domain is receiving maximum hits (cPanel/WHM server):

lynx http://localhost/whm-server-status

 

Once you get IPs having most connection from 1st command, now you need to add these IP to deny list. In this post i will not talk about configServer Firewall or any other firewall. As according to my experience if you have high packets DDOS attacks firewall does not help any more. So we will go with .htaccess solution.

Just add following below code in your .htaccess placed under main directory of web site, for cPanel account it is public_html/.htaccess if it does not exist just create it.

deny from (IP that is having too many connections)<pre>

e.g: In below example 127.0.0.1 is assumed as IP having many connections, please replace it accordingly.
<pre>deny from 127.0.0.1

Add same above code for each IP per line.

 

How to limit conntrack sessions

Are you aware that Conntrack session exhaustion is usually due to a DDoS? Unless you normally have 58,662 active sessions (TCP Connections, UDP dstip,dstport,srcip,scrport turples)

to limit sessions

/sbin/sysctl -w net.netfilter.nf_conntrack_max=xxxx

xxxx = number

/sbin/sysctl -w net.netfilter.nf_conntrack_count

to check how many sessions

Use this command to see all of the sessions: cat /proc/net/nf_conntrack