7.Locks HexConnections

Since the beginning of the modern internet, distributed denial of service (DDoS) attacks have been a scourge. The first known example of a major DDoS attack happened in 1996 when prominent New York commercial internet provider Panix suffered an attack that knocked its servers offline for several days. In the years since then, the size and scope of DDoS attacks have grown, alongside a significant increase in their frequency.

At the same time, the percentage of public-facing servers running one of the many flavors of Linux has exploded. Today, ZDNet reports that 96.3% of all major web servers now run a Linux variant. That makes DDoS attacks a massive threat to Linux servers and one that every administrator must know how to prevent and mitigate. The thing is, the topic of DDoS attacks is a broad one that doesn't necessarily lend itself to simple solutions. That doesn't mean, however, that Linux server admins should abandon all hope.

To offer Linux admins the knowledge and basic skills they need, here's a comprehensive guide to preventing Linux DDoS attacks with minimal cybersecurity knowledge. We'll discuss exactly what DDoS attacks are, how they work, and why they often happen. We'll also discuss the OSI layers that attackers might target and some typical defensive and mitigation strategies admins can use with both stand-alone and cloud-based Linux servers.

Then, to top it off, we'll also cover common misconceptions about DDoS attacks and offer a quick overview of the top open-source DDoS mitigation tools available today. By the end, you'll know everything necessary to mount a competent defense against DDoS attacks for your Linux infrastructure. If you're ready, let's get started!

Understanding DDoS Attacks

CybersecBefore you can learn how to defend your infrastructure from DDoS attacks, it's first necessary to understand what they are and how they work. The simplest way to describe a DDoS attack is that it's a deliberate attempt to overwhelm a server or servers by directing a large volume of traffic at it simultaneously. During a DDoS attack, the target is knocked offline because legitimate traffic can't reach it.

According to cybersecurity expert Hari Ravichandran, DDoS attacks have turned into a preferred tool of ransom-seeking hackers, joining purpose-built ransomware as the most prevalent criminal threat online today. He also notes that the rise of DDoS attacks is happening because of a simultaneous increase of botnet-for-hire schemes that make launching the attacks cheap and easy.

In most instances, DDoS attacks rely on such botnets—masses of compromised devices or computers—to generate the required traffic. Lately, compromised IoT hardware has supercharged the size and ferocity of DDoS attacks. Plus, the perpetrators of such attacks may have a variety of motivations, including:

  • Seeking business leverage
  • Extortion
  • State-sponsored cyberwarfare
  • Ideological motivations
  • Attention-seeking

Worse still, there are multiple subtypes of DDoS attacks that Linux admins have to contend with. Here's what they are, in no particular order, including which OSI layer they target:

UDP Flood

A UDP, or User Datagram Protocol, is a layer-3 attack that involves an attacker flooding random ports on a targeted server with meaningless packets. This forces the server to look for applications listening on those ports, which consumes precious computing resources. Eventually, the target loses the ability to respond to legitimate requests for the duration of the attack—and possibly longer if the server can't recover on its own.

Ping Flood

A ping attack is another layer-3 attack that takes advantage of a troubleshooting protocol meant to allow admins to test the accessibility of a server remotely. A ping is a type of internet control messaging protocol (ICMP) echo request involving data packets up to 64 bytes in size. When you ping a server under ordinary circumstances, it will answer by sending a same-sized packet back to the origin of the ping. Attackers abuse this by sending huge floods of ping requests, which rapidly eat up both incoming and outgoing bandwidth to the server.

Ping of Death

A ping of death attack is a layer-3 attack that is similar to a ping flood, except that it involves the use of a malformed ping request. By manipulating the size and content of the ping request, the attacker causes a memory buffer overflow on the target server. This eats up resources and prevents the server from responding to legitimate traffic.

SYN Flood

A SYN flood attack is a layer-4 attack that takes advantage of the TCP handshake procedure, wherein the machine initiating a connection sends a SYN request to a target. In response, the target sends a SYN-ACK response to the source and then waits for the source to respond with an ACK. In a SYN flood attack, the attacker generates large numbers of SYN requests but never answers the target server's responses. This forces the target server to wait for an endless number of concurrent connections. Eventually, the server will run out of available connections and won't respond to any further incoming requests—legitimate or otherwise.

HTTP Flood

An HTTP flood attack is a layer-7 attack that involves an attacker directing large volumes of HTTP GET or POST requests toward a targeted web server. The idea is to tie up the web server's resources with these meaningless requests so it cannot answer real users. This is a particularly pernicious attack because it requires no particular infrastructure and doesn't rely on massive bandwidth to execute.


A slowloris attack is a type of webserver-to-webserver layer-7 attack where an attacking server opens up—and holds open—multiple concurrent connections to the target server. It does this by sending endless HTTP headers without completing any requests. The process continues until the target server can no longer respond to other HTTP requests.

NTP Amplification

An NTP amplification attack is another layer-7 attack that involves an attacker directing traffic from public network time protocol (NTP) servers toward a target server. Since a request to a pool of NTP servers can result in as many as 200 responses, it's possible to generate a huge volume of traffic in this way. In effect, an NTP amplification attack is a UDP flood attack that doesn't require access to a botnet to execute.

Historical Examples of Linux DDoS Attacks

Cyber 4508911  340Unfortunately, it's not difficult to cite examples of DDoS attacks aimed at Linux-powered sites, services, or infrastructure. With so much of the internet relying on Linux to function, such incidents are almost a given. Perhaps the most well-known recent example was a DDoS attack on Amazon's massive AWS infrastructure in February 2020. It was, at the time, the most significant DDoS attack in history, sending a gigantic flood of data at 2.3 Tbps to Amazon's servers. In that case, the attacker used a reflection attack, similar to an NTP attack, but targeting the Connectionless Lightweight Directory Access Protocol (CLDAP) instead.

Another set of well-known examples of Linux-targeted DDoS attacks happened in July 2022, leveraging a botnet known as Mantis. It was an HTTP flood attack aimed at over 1,000 customers of Cloudflare, a major internet infrastructure company. The attack was most notable for its ferocity, reaching a rate of an astonishing 26 million requests per second at one point.

In both cases, the attacks did untold financial damage to their targets and prevented legitimate users from accessing hundreds of sites and services for significant periods. For administrators, they also created major headaches. In the aftermath of major DDoS attacks like these, admins have to review servers from top to bottom and often need to conduct cleanups to get everything running again.

How Can I Mitigate Linux DDoS Attacks?

There are a variety of methods you can use to mitigate the effects of DDoS attacks on a Linux server. The simplest way to do this, of course, is to engage the services of network service providers like Cloudflare, Akamai, Imperva, and others to act as a shield for your servers. Those services feature advanced, built-in DDoS attack detection technology that can spot and halt DDoS attacks before connections ever reach your servers.

There are also a few things you can do on your Linux servers themselves that will help blunt the effects of a DDoS attack. First, there are a variety of additions you can make to your server's sysctl.conf file that will help it withstand the most common DDoS attacks. Then, you can also add some simple iptables rules that will drop or reject most kinds of malicious traffic, such as:

  • Block Invalid Packets - iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP
  • Block Non-SYN Packets on New Connections - iptables -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
  • Block Unusual Max Segment Sizes - iptables -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP

The three entries above are a good start, but there are plenty of other rules that can help too, which you can find here.

The good news is that these settings work well on cloud-based Linux deployments, too. And when you combine them with the aforementioned protection services, you can be reasonably sure that your cloud deployment will weather any DDoS storm. Also, major cloud providers like Amazon and Google have their own built-in DDoS mitigation services you could use as well.

Top Misunderstandings and Misconceptions about DDoS Attacks

Open Source SecurityUnfortunately, the tech media treats DDoS attacks as a monolithic threat and spreads quite a bit of unintentional misinformation about them. That's a big reason why there are so many Linux admins that misunderstand the threats they face and what they mean. The biggest misconception among these is that DDoS attacks only befall large organizations. This is likely because articles on the subject often only mention DDoS victims at the service provider level.

For example, in the two attacks detailed earlier in this article, only Cloudflare and AWS were mentioned as direct targets. However, in both cases, it was hundreds or thousands of their customers that were the real targets of the attack. This means every Linux admin—no matter how small a site or service they're running—needs to remain vigilant.

Another major misconception is that deploying an anti-DDoS product is a viable set-it-and-forget-it solution. In most cases, admins will still need knowledge about dealing with a DDoS attack to effectively use such products. This is because, while many such products do offer some automated mitigation responses, there will always be a need for admins to take direct control and guide the response to an attack.

Open-Source DDoS Mitigation Tools for Defense

Although plenty of commercial DDoS mitigation solutions are available, it's a safe bet that most Linux admins would prefer to keep their stack as open-source as possible. To help with that, here are three excellent open-source DDoS mitigation options:


Formerly known as the OWASP HTTP POST tool, Switchblade is an open-source utility that allows Linux admins to simulate various DDoS attack types on their systems. It's an excellent way to see if your defensive measures work and if not, gain insight on addressing remaining problems.


Although primarily known as a web server and reverse proxy platform NGINX also works well as an open-source DDoS defensive measure. There's voluminous information on configuring it for that purpose, too.

DDoS Deflate

DDoS Deflate is a suite of shell script tools aimed at giving Linux admins the ability to halt in-progress DDoS attacks. It has various features, including the ability to whitelist or blacklist IP ranges, rate-limit addresses with too many open connections, and more.

Final Thoughts on Preventing Linux DDoS Attacks

The bottom line is that DDoS attacks are an ever-present threat to Linux servers and other types of connected infrastructure. They're common enough that there's no server—no matter how insignificant—that should go without protection from them. Fortunately, basic anti-DDoS measures aren't tricky to implement, as described in this article. However, Linux admins shouldn't simply set them up and walk away. They should try to stay up-to-date on the latest emerging patterns and attack types, as they may eventually begin evading these basic preventative measures. With care and vigilance, though, safety for Linux servers from the threat of DDoS disruptions is possible.