I’m writing this as we get questions from some of our VPS Clients using cPanel and CSF as to how to block or stop a DDOS attack when it occurs.
There are many ways but we use the below which seems to help alot.
Do it in the below order 🙂
To show number of connections and IP address
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
(The above shows you how many connections are currently active - If you see thousands and keeps increasing continue)
netstat -alpn | grep :80 | awk '{print $4}' |awk -F: '{print $(NF-1)}' |sort | uniq -c | sort -n
To Verify a IP is blocked
iptables -L -n | grep 'IP_ADDR_HERE' Block the IP using the above or do it via CSF in the interface if it can be accessed.
CSF SETTINGS
vi /etc/csf/csf.conf
Set CT_LIMIT to 30, set it back to 100 or 200 after attack stop.
CT_LIMIT = "30"
Set SYNFLOOD to 1, set it back to 0 after DDoS attack stop.
SYNFLOOD = "1" We do hope the above helps.