prevent-ddos-on-aws-ec2

5 Ways You Can Prevent DDOS On Linux AWS (W/O Using 3rd Party Tools)

This article will guide you through list of tasks you should include in your check list before confirming a DDOS attack, with that I’ll also list down steps you should follow to Prevent DDOS on Linux AWS instance without using any 3rd party tools.

**I’m expecting the moment I publish this article, my website will come under DDOS attacks, just like it happened before when I had published a article on how to protect your AWS infrastructure from DDOS attacks.**


Detecting DDOS on Linux AWS instance 

It becomes really important first to detect DDOS,  while working for couple to customer there having cases were they had reported a DDOS on there EC2 instance which furture after detailed analysis turned out to be a brute force attack. 

So I’d suggest few tasks to perform inorder to distinguish DDOS from other attacks.. 

Task list : 

1. Monitor and Login instance : Make sure you go through cloudwatch logs and check if your instance its max resource utilization, some times it becomes difficult to even login to instance, as it is using max CPU utilization in this case you cannot do much follow bellow steps :

Solution : If your unable to login then

  • Take snapshot of that instance first and reboot, snapshot will help you later fetch information which might not be available after reboot, remember to check no reboot option while taking an AMI or snapshot
  • Once you’ve taken snapshot reboot the instance

This way you will be able to gain access to instance.

2. Use netstat utility to monitor connections : This is will be your first task to do when you have logged into instance, netstat utility is basically used for fetching network statistics. 

Use following commands :

  • To see which ports are open : netstat -tulpn | grep "80"
  • View list of IP’s which have logged in is maximum number of connections to your server: netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort –n
  • Insome cases attackers use fewer number of connections from single IP hence it becomes more complex to detect. In such scenario, one important thing that you should check is the number of active connections that your server currently has. For that execute the following command : netstat -n | grep :80 |wc –l
  • You can also fire : netstat -n | grep :80 | grep SYN |wc –l

Result of active connections from the first command (netstat -n | grep :80 |wc –l) will vary but if it shows connections more than 500, then you will be definitely having DDOS problems.

If the result after you fire netstat -n | grep :80 | grep SYN |wc –l command is 100 or above then you are having problems with sync attack.

Once you’ve done above mentioned tasks you should be able to detect IP addresses attacking your instance, now you can easily block them.

Prevent DDOS on Linux AWS EC2 instance

Now that you’ve successfully identified the DDOS attack, we will now prevent attacks from these IPs.

3.  Block IP address : You can use two ways to block IPs, one is via a rule Route command, Route command is used to show/manipulate the IP routing table. 

  • Fire the following command to block that ip or any other specific ip: route add ipaddress reject
  • Once you block a paricular IP on the server, you can even crosscheck if the IP is blocked or not by using the following command:route -n |grep IPaddress

4. Use sysctl protection to disllow malicious traffic : 

You can implement sysctl protection by adding the following to /etc/sysctl.conf

# Enable IP spoofing protection, turn on Source Address Verification
net.ipv4.conf.all.rp_filter = 1
# Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1

 5. Use IPtables to block IPs and IP ranges : IPtables is a much more advance option inorder to limit traffic.

  • Fire the following command to block IP/IP ranges: 
    iptables -A INPUT 1 -s IPADDRESS -j DROP/REJECT
  • Here are some more IPtables rules to use inorder to secure your instance for any type of DDOS attacks
  • ### 1: Drop invalid packets ###
    /sbin/iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP
    
    ### 2: Drop TCP packets that are new and are not SYN ###
    /sbin/iptables -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
    
    ### 3: Drop SYN packets with suspicious MSS value ###
    /sbin/iptables -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP
    
    ### 4: Drop ICMP (you usually don't need this protocol) ###
    /sbin/iptables -t mangle -A PREROUTING -p icmp -j DROP
    
    ### 5: Drop fragments in all chains ###
    /sbin/iptables -t mangle -A PREROUTING -f -j DROP
    
    ### 6: Limit connections per source IP ###
    /sbin/iptables -A INPUT -p tcp -m connlimit --connlimit-above 111 -j REJECT --reject-with tcp-reset
    
    ### 7: Limit new TCP connections per second per source IP ###
    /sbin/iptables -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP
    

This are the few ways you can efficiently Prevent DDOS on Linux AWS EC2 instances.

Comment below you queries and views on this article.

I hope this helps!  

-Bhargav