Discover LinuxSecurity Features
Preventing Linux DDoS Attacks with Minimal Cybersecurity Knowledge
Since the beginning of the modern internet, distributed Denial of Service (DDoS) attacks have been a scourge. The first known example of a major DDoS attack happened in 1996 when prominent New York commercial internet provider Panix suffered an attack that knocked its servers offline for several days. In the years since then, DDoS attacks have grown in size, scope, and frequency.
At the same time, the percentage of public-facing servers running one of the many versions of Linux has exploded. Today, ZDNet reports that 96.3% of all major web servers now run a Linux variant. Therefore, DDoS attacks are a massive network security threat that all administrators need to be aware of in order to mitigate and prevent any cyber security vulnerabilities that would allow for the attack to take place. However, DDoS tends not to have the easiest solutions, but that does not mean server admins should give up.
To offer Linux admins the knowledge and basic skills they need, here's a comprehensive guide to preventing Linux DDoS attacks with minimal cybersecurity knowledge. We'll discuss exactly what DDoS attacks are, how they work, and why they often happen. Also, we'll brief the OSI layers that attackers might target and some typical defensive and mitigation strategies admins can use with stand-alone and cloud-based Linux servers. Finally, we'll cover common misconceptions about DDoS attacks and offer a quick overview of the top open-source DDoS mitigation network security toolkits available today. By the end, you'll know everything necessary to mount a competent defense against DDoS attacks for your Linux infrastructure. If you're ready, let's get started!
Understanding DDoS Attacks
Before you can learn how to defend your infrastructure from DDoS attacks, it's first necessary to understand what they are and how they work. The simplest way to describe a DDoS attack is that it's a deliberate attempt to overwhelm a server or server by directing a large volume of traffic at it simultaneously. During a DDoS attack, the target is knocked offline because legitimate traffic can't reach it.
According to cybersecurity expert Hari Ravichandran, DDoS attacks have turned into a preferred tool for ransom-seeking hackers, joining purpose-built ransomware as the most prevalent criminal network security threat online today. He also notes that the rise of DDoS attacks is happening because of a simultaneous increase of botnet-for-hire schemes that make launching the attacks in network security both cheap and easy. This environment has enabled DDoS attacks to emerge as one of the most significant recent cyber security trends.
In most instances, DDoS attacks rely on botnets, or masses of compromised devices and computers, to generate the required traffic. Lately, compromised IoT hardware has supercharged the size and ferocity of DDoS attacks. Perpetrators of such attacks may have a variety of motivations, including seeking business leverage, extortion, state-sponsored cyber warfare, ideological motivations, and attention-seeking.
Worse still, there are multiple subtypes of DDoS attacks that Linux admins have to know. Here is a list of such network security threats and which OSI layers they target:
A UDP, or User Datagram Protocol, is a layer-3 attack that involves an attacker flooding random ports on a targeted server with meaningless packets. This forces the server to look for applications listening on those ports, which consumes precious computing resources. Eventually, the target loses the ability to respond to legitimate requests for the duration of the attack and possibly longer if the server can't recover on its own, posing a significant network security threat.
A ping attack is another layer-3 attack that takes advantage of a troubleshooting protocol meant to allow admins to test the accessibility of a server remotely. A ping is a type of Internet Control Messaging Protocol (ICMP) echo request involving data packets up to 64 bytes in size. When you ping a server under ordinary circumstances, it will answer by sending a same-sized packet back to the origin of the ping. Attackers abuse this by sending huge floods of ping requests, which rapidly eat up both incoming and outgoing bandwidth to the server, making it difficult to maintain data and network security for the duration of the attack.
Ping of Death
A ping of death attack is a layer-3 attack that is similar to a ping flood, except that it involves the use of a malformed ping request. By manipulating the size and content of the ping request, the attacker causes a memory buffer overflow on the target server. This eats up resources and prevents the server from responding to legitimate traffic.
A SYN flood attack is a layer-4 attack that takes advantage of the TCP handshake procedure, wherein the machine initiating a connection sends a SYN request to a target. In response, the target sends a SYN-ACK response to the source and then waits for the source to respond with an ACK. In a SYN flood attack, the attacker generates large numbers of SYN requests but never answers the target server's responses, forcing the target server to wait for an endless number of concurrent connections. Eventually, the server will run out of available connections and won't respond to any further incoming requests, legitimate or otherwise.
An HTTP flood attack is a layer-7 attack that involves an attacker directing large volumes of HTTP GET or POST requests toward a targeted web server. The idea is to tie up the web server's resources with these meaningless requests so it cannot answer real users. This is a particularly pernicious form of attack on network security because it requires no particular infrastructure and doesn't rely on massive bandwidth to be executed.
A slowloris attack is a type of webserver-to-webserver layer-7 attack where an attacking server opens and holds open multiple concurrent connections to the target server. It does this by sending endless HTTP headers without completing any requests. The process continues until the target server can no longer respond to other HTTP requests.
An NTP amplification attack is another layer-7 attack that involves an attacker directing traffic from public Network Time Protocol (NTP) servers toward a target server. Since a request to a pool of NTP servers can result in as many as 200 responses, it's possible to generate a huge volume of traffic in this way. In effect, an NTP amplification attack is a UDP flood attack that doesn't require access to a botnet to execute.
Understanding the variety of network security threats posed by DDoS attacks is vital in making sure you stay on top of any and all cyber security vulnerabilities within your Linux system that could be at risk should you not ensure their protection.
Historical Examples of Linux DDoS Attacks
Unfortunately, it's not difficult to cite examples of DDoS attacks aimed at Linux-powered sites, services, or infrastructure. With so much of the internet relying on Linux to function, such incidents of attacks in network security are almost a given. Perhaps the most well-known recent example was a DDoS attack on Amazon's massive AWS infrastructure in February 2020. It was, at the time, the most significant DDoS attack in history, sending a gigantic flood of data at 2.3 Tbps to Amazon's servers. The attacker used a reflection attack, similar to an NTP attack, but targeting the Connectionless Lightweight Directory Access Protocol (CLDAP) instead.
Another example of Linux-targeted DDoS attacks happened in July 2022, leveraging a botnet known as Mantis. It was an HTTP flood attack aimed at over 1,000 customers of Cloudflare, a major internet infrastructure company. The attack was most notable for its ferocity, reaching a rate of an astonishing 26 million requests per second at one point.
In both cases, the attacks did untold financial damage to their targets and prevented legitimate users from accessing hundreds of sites and services for significant periods. For administrators, they also created major headaches. In the aftermath of major DDoS attacks like these, admins have to review servers from top to bottom and often need to conduct cleanups to get everything running again.
How Can I Mitigate Linux DDoS Attacks?
There are a variety of methods you can use to mitigate the effects of DDoS attacks on a Linux server. The simplest way to do this, of course, is to engage network service providers like Cloudflare, Akamai, Imperva, and others to act as a shield for your servers. Those services feature advanced, built-in DDoS attack detection technology that can spot and halt DDoS attacks before connections ever reach your servers.
There are also a few things you can do on your Linux servers themselves that will help blunt the effects of a DDoS attack. First, there are a variety of additions you can make to your server's sysctl.conf file that will help it withstand the most common DDoS attacks. Then, you can also add some simple iptables rules that will drop or reject most kinds of malicious traffic, such as:
- Block Invalid Packets - iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP
- Block Non-SYN Packets on New Connections - iptables -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
- Block Unusual Max Segment Sizes - iptables -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP
The three entries above are a good start, but there are plenty of other rules that can help too, which you can find here.
The good news is that these settings work well on cloud-based Linux deployments, too. And when you combine them with the aforementioned protection services, you can be reasonably sure that your cloud deployment will weather any DDoS storm. Also, major cloud providers like Amazon and Google have their own built-in DDoS mitigation services you could use as well.
Top Misunderstandings and Misconceptions about DDoS Attacks
Unfortunately, the tech media treats DDoS attacks as a monolithic network security threat and spreads quite a bit of unintentional misinformation about them. That's a big reason why there are so many Linux admins who misunderstand the issues they face and what they mean. The biggest misconception among these is that DDoS attacks only befall large organizations because most articles on the subject only discuss service provider level victims.
For example, in the two attacks detailed earlier in this article, only Cloudflare and AWS were mentioned as direct targets. However, in both cases, it was hundreds or thousands of their customers who were the real targets of the attacks on network security. This means every Linux admin, no matter how small a site or service they're running, needs to remain vigilant.
Another major misconception is that deploying an anti-DDoS product is a viable set-it-and-forget-it solution. In most cases, admins will still need knowledge about dealing with a DDoS attack to effectively use such products. This is because, while many such products do offer some automated mitigation responses, there will always be a need for admins to take direct control and guide the response to an attack.
Open-Source DDoS Mitigation Tools for Defense
Although plenty of commercial DDoS mitigation solutions are available, it's a safe bet that most Linux admins would prefer to keep their stack as open-source as possible. To help with that, here are three excellent open-source DDoS mitigation options:
Formerly known as the OWASP HTTP POST tool, Switchblade is an open-source utility that allows Linux admins to simulate various DDoS attack types on their systems. It's an excellent way to see if your defensive measures work and, if not, gain insight into addressing remaining network security issues.
Although primarily known as a web server and reverse proxy platform, NGINX also works well as an open-source DDoS defensive measure. There's voluminous information on configuring it for the purpose of preventing attacks on network security, too.
DDoS Deflate is a suite of shell script tools aimed at giving Linux admins the ability to halt in-progress DDoS attacks. It has various features, including the ability to whitelist or blacklist IP ranges, rate-limit addresses with too many open connections, and more.
Final Thoughts on Preventing Linux DDoS Attacks
The bottom line is that DDoS attacks are an ever-present threat to Linux servers and other types of connected infrastructure. They're common enough that there's no server—no matter how insignificant—that should go without protection from them. Fortunately, basic anti-DDoS measures aren't tricky to implement, and security pros aren’t the only ones who can safeguard their systems against this threat. However, Linux admins shouldn't simply set them up and walk away; instead, they should try to stay up-to-date on the latest emerging patterns and attack types. This can help admins avoid future network security issues and evade current ones with these basic preventative measures. With care and vigilance, safety for Linux servers from the network security threat of DDoS disruptions is possible.