August 7


Managing a DDOS Attack with Config Server Firewall

I’m writing this as we get questions from some of our VPS Clients using cPanel and CSF as to how to block or stop a DDOS attack when it occurs.

There are many ways but we use the below which seems to help alot.

Do it in the below order 🙂

To show number of connections and IP address

netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
(The above shows you how many connections are currently active - If you see thousands and keeps increasing continue)
netstat -alpn | grep :80 | awk '{print $4}' |awk -F: '{print $(NF-1)}' |sort | uniq -c | sort -n

To Verify a IP is blocked

iptables -L -n | grep 'IP_ADDR_HERE'
Block the IP using the above or do it via CSF in the interface if it can be accessed.


vi /etc/csf/csf.conf

Set CT_LIMIT to 30, set it back to 100 or 200 after attack stop.

CT_LIMIT = "30"

Set SYNFLOOD to 1, set it back to 0 after DDoS attack stop.


We do hope the above helps.


You may also like

Leave a Reply
{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}