DDoS Protection Strategies for Linux Servers

Distributed Denial of Servicio attacks overwhelm servers with traffic from multiple sources, making legitimate traffic unreachable. Linux proporciona multiple kernel-level and application-level techniques to mitigate DDoS attacks. Esta guía cubre enabling SYN cookies, configuring connection limits, implementing iptables hashlimit rules, using nftables for advanced filtering, kernel tuning for attack resilience, and monitoring techniques for attack detection and mitigation.

Tabla de Contenidos

System Requirements

DDoS mitigation requires appropriate kernel features and red bandwidth:

  • Linux kernel 4.4 or newer
  • Root access for firewall rule modification
  • Sufficient red bandwidth to handle attack traffic
  • Fast CPU for packet processing
  • Monitoreo tools for detection
  • Optional: Load balancing or CDN for large-scale mitigation

Check kernel capabilities:

uname -r
zgrep CONFIG_SYN_COOKIES /proc/config.gz
zgrep CONFIG_NFQUEUE /proc/config.gz

Comprendiendo DDoS Attacks

Common DDoS attack types and their characteristics:

  1. SYN Flood: Attacker sends many SYN packets without completing handshake
  2. UDP Flood: Massive volumen of UDP packets to saturate bandwidth
  3. HTTP Flood: Application-level attacks with legitimate-looking requests
  4. DNS Amplification: Exploits DNS servers to amplify traffic
  5. ICMP Flood: Overwhelming ICMP echo requests (ping)

SYN cookies prevent SYN flood attacks by using clever cryptography to avoid storing half-open connections.

Habilita SYN cookies:

sudo sysctl -w net.ipv4.tcp_syncookies=1

Verifica it's enabled:

cat /proc/sys/net/ipv4/tcp_syncookies

Make it permanent:

sudo nano /etc/sysctl.conf

Add or uncomment:

net.ipv4.tcp_syncookies = 1

Apply:

sudo sysctl -p

Configura SYN flood protection parameters:

sudo sysctl -w net.ipv4.tcp_syn_retries=2
sudo sysctl -w net.ipv4.tcp_synack_retries=2
sudo sysctl -w net.ipv4.tcp_max_syn_backlog=4096

Persistent settings:

net.ipv4.tcp_syn_retries = 2
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_max_syn_backlog = 4096

Monitorea SYN attacks:

watch -n 1 'netstat -an | grep SYN_RECV | wc -l'

Check connection states:

ss -s

Shows TCP connection statistics including SYN_RECV count.

Connection Limits

Limit concurrent connections per IP address to mitigate volumetric attacks.

Set maximum connections per IP:

sudo sysctl -w net.ipv4.tcp_max_tw_buckets=2000000
sudo sysctl -w net.core.somaxconn=16384
sudo sysctl -w net.ipv4.tcp_fin_timeout=30
sudo sysctl -w net.ipv4.tcp_tw_reuse=1

Persistent configuration:

net.ipv4.tcp_max_tw_buckets = 2000000
net.core.somaxconn = 16384
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 0  # Better than tcp_tw_recycle

Deshabilita IPv6 if not needed (reduces attack surface):

sudo sysctl -w net.ipv6.conf.all.disable_ipv6=1
sudo sysctl -w net.ipv6.conf.default.disable_ipv6=1

Limit ICMP echo requests to prevent ICMP floods:

sudo sysctl -w net.ipv4.icmp_echo_ignore_all=0  # Habilita below settings first
sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
sudo sysctl -w net.ipv4.conf.all.rp_filter=1
sudo sysctl -w net.ipv4.conf.default.rp_filter=1

Monitorea connection statistics:

watch -n 1 'ss -s'

Check TIME_WAIT connections:

netstat -an | grep TIME_WAIT | wc -l
ss -tan | grep TIME_WAIT | wc -l

iptables Rate Limiting

Use iptables hashlimit module for sophisticated rate limiting.

Instala iptables if needed:

sudo apt-get install -y iptables

Crea a hashlimit rule to limit connections per IP:

sudo iptables -A INPUT -p tcp --dport 80 -m hashlimit --hashlimit 50/minute --hashlimit-burst 100 --hashlimit-mode srcip --hashlimit-name http-limit -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 80 -j DROP

Limit SSH connections:

sudo iptables -A INPUT -p tcp --dport 22 -m hashlimit --hashlimit 5/minute --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name ssh-limit -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 22 -j DROP

Crea HTTPS rate limit:

sudo iptables -A INPUT -p tcp --dport 443 -m hashlimit --hashlimit 50/minute --hashlimit-burst 100 --hashlimit-mode srcip --hashlimit-name https-limit -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j DROP

Rate limit DNS queries:

sudo iptables -A INPUT -p udp --dport 53 -m hashlimit --hashlimit 100/second --hashlimit-burst 200 --hashlimit-mode srcip --hashlimit-name dns-limit -j ACCEPT
sudo iptables -A INPUT -p udp --dport 53 -j DROP

Bloquea ICMP floods:

sudo iptables -A INPUT -p icmp -m hashlimit --hashlimit 5/second --hashlimit-burst 10 --hashlimit-mode srcip -j ACCEPT
sudo iptables -A INPUT -p icmp -j DROP

Limit new connections globally:

sudo iptables -I INPUT -p tcp --dport 80 -m state --state NEW -m recent --set
sudo iptables -I INPUT -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 60 --hitcount 60 -j DROP

View loaded hashlimit rules:

sudo iptables -L -n
sudo iptables -t mangle -L -n

Save rules:

sudo iptables-save > /etc/iptables/rules.v4

nftables Configuración

Use nftables (successor to iptables) for advanced DDoS protection.

Crea nftables rules:

sudo nano /etc/nftables.conf

Complete DDoS protection ruleset:

#!/usr/bin/nft -f

flush ruleset

table inet filter {
  chain input {
    type filter hook input priority 0;
    
    # Permite established and related
    ct state established,related accept
    
    # Permite loopback
    iifname lo accept
    
    # Drop invalid
    ct state invalid drop
    
    # SYN flood protection
    tcp flags syn / syn,ack counter jump syn-flood
    
    # UDP flood protection
    udp dport { 53, 123 } limit rate 100/second accept
    udp dport { 53, 123 } drop
    
    # ICMP flood protection
    icmp type echo-request limit rate 4/second accept
    icmp type echo-request drop
    
    # SSH rate limit
    tcp dport 22 limit rate 5/minute accept
    tcp dport 22 drop
    
    # HTTP(S) rate limit
    tcp dport { 80, 443 } limit rate 50/minute accept
    tcp dport { 80, 443 } drop
    
    # DNS amplification protection
    ip protocol udp ip daddr 127.0.0.1 reject
  }
  
  chain syn-flood {
    # Permite 5 SYN per second
    limit rate 5/second accept
    drop
  }
  
  chain forward {
    type filter hook forward priority 0;
    accept
  }
  
  chain output {
    type filter hook output priority 0;
    accept
  }
}

Apply nftables:

sudo nft -f /etc/nftables.conf

Habilita nftables servicio:

sudo systemctl enable nftables
sudo systemctl start nftables

View rules:

sudo nft list ruleset

Monitorea hits:

sudo nft list ruleset -a

Kernel Tuning

Optimiza kernel parameters for DDoS resilience.

Crea comprehensive tuning configuration:

sudo nano /etc/sysctl.d/99-ddos-protection.conf

Content:

# SYN Flood Protection
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_syn_retries = 2
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_max_syn_backlog = 4096

# Connection handling
net.core.somaxconn = 16384
net.ipv4.tcp_max_tw_buckets = 2000000
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_tw_reuse = 1

# IP forwarding security
net.ipv4.ip_forward = 0
net.ipv4.conf.all.forwarding = 0
net.ipv4.conf.default.forwarding = 0

# ICMP handling
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv6.conf.all.disable_ipv6 = 1

# Reverse path filtering
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Deshabilita source packet routing
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0

# Deshabilita ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0

# TCP hardening
net.ipv4.tcp_timestamps = 1
net.ipv4.tcp_sack = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_congestion_control = bbr

# Red buffer tuning
net.core.rmem_max = 134217728
net.core.wmem_max = 134217728
net.ipv4.tcp_rmem = 4096 87380 67108864
net.ipv4.tcp_wmem = 4096 65536 67108864
net.ipv4.udp_mem = 8388608 12582912 16777216

Apply settings:

sudo sysctl -p /etc/sysctl.d/99-ddos-protection.conf

Verifica settings:

sudo sysctl -a | grep -E "syn|backlog|somaxconn|fin_timeout|tw_"

Application-Level Protection

Implement web server-level DDoS protection.

Configura Nginx rate limiting:

sudo nano /etc/nginx/nginx.conf

Add rate limiting:

# Define rate limit zones
limit_req_zone $binary_remote_addr zone=one:10m rate=10r/s;
limit_req_zone $binary_remote_addr zone=guarded:10m rate=1r/s;
limit_conn_zone $binary_remote_addr zone=connections:10m;

server {
    listen 80;
    server_name example.com;
    
    # Apply rate limiting
    limit_req zone=one burst=20 nodelay;
    limit_conn connections 10;
    
    # Mitigate slow attack
    client_max_body_size 10m;
    client_body_timeout 10s;
    client_header_timeout 10s;
    
    location /api {
        limit_req zone=guarded burst=5;
    }
}

Configura Apache rate limiting:

sudo nano /etc/apache2/mods-enabled/ratelimit.conf

Content:

<IfModule mod_ratelimit.c>
    # Rate limit bandwidth
    <Location /api>
        SetOutputFilter RATE_LIMIT
        ModRateLimit On
        ModRateLimit ratio=1000
    </Location>
</IfModule>

Monitoreo and Detection

Monitorea for DDoS attacks in real-time.

Monitorea red connections:

# Watch connection states
watch -n 1 'netstat -an | grep -E "ESTABLISHED|SYN_RECV|TIME_WAIT" | wc -l'

# Show top sources
netstat -an | grep ESTABLISHED | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -rn | head -20

# Monitorea bandwidth usage
iftop -n
nethogs

Check attack indicators:

# High SYN_RECV indicates SYN flood
netstat -an | grep SYN_RECV | wc -l

# High connections from single IP
netstat -an | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -rn | head -10

# Monitorea UDP traffic
netstat -an | grep udp

Use tools for monitoring:

# Instala monitoring tools
sudo apt-get install -y iftop nethogs vnstat

# Monitorea real-time traffic
sudo iftop
sudo nethogs

# View traffic history
vnstat -h

Log suspicious activity:

# Monitorea firewall logs
sudo tail -f /var/log/kern.log | grep DROP

# Count dropped packets
grep DROP /var/log/syslog | wc -l

Avanzado Mitigation

Implement advanced DDoS mitigation techniques.

Use traffic shaping to prioritize legitimate traffic:

sudo tc qdisc add dev eth0 root tbf rate 1gbit burst 32kbit latency 400ms

Implement CAKE (Common Applications Kept Enhanced) qdisc:

sudo tc qdisc add dev eth0 root cake bandwidth 1gbit diffserv4

Configura fail2ban for attack IPs:

sudo nano /etc/fail2ban/jail.d/ddos-protection.local

Content:

[ddos-filter]
enabled = true
puerto = http,https
filter = ddos-detection
logpath = /var/log/nginx/access.log
maxretry = 100
findtime = 60
bantime = 3600
action = iptables-multiport[name=DDoS, puerto="http,https"]

Use WAF (Web Application Firewall) like ModSecurity:

sudo apt-get install -y libapache2-mod-security2
sudo a2enmod security2

Conclusión

DDoS protection requires a multi-layered approach combining kernel tuning, firewall rules, application-level limits, and monitoring. By following this guide, you've implemented SYN cookie protection for SYN floods, configured connection limits, deployed hashlimit rules with iptables, created advanced nftables rulesets, tuned kernel parameters for resilience, implemented application-level rate limiting, and established monitoring for attack detection. Regular updates and parameter tuning asegúrate de que effectiveness against evolving attack vectors. Whether protecting small servicios or large infrastructure, proper DDoS mitigation significantly reduces attack impact and maintains servicio availability.