DDoS Protection Strategies for Linux Servers

Distributed Denial of Service attacks overwhelm servers with traffic from multiple sources, making legitimate traffic unreachable. Linux provides multiple kernel-level and application-level techniques to mitigate DDoS attacks. This guide covers enabling SYN cookies, configuring connection limits, implementing iptables hashlimit rules, using nftables for advanced filtering, kernel tuning for attack resilience, and monitoring techniques for attack detection and mitigation.

Table of Contents

System Requirements

DDoS mitigation requires appropriate kernel features and network bandwidth:

  • Linux kernel 4.4 or newer
  • Root access for firewall rule modification
  • Sufficient network bandwidth to handle attack traffic
  • Fast CPU for packet processing
  • Monitoring tools for detection
  • Optional: Load balancing or CDN for large-scale mitigation

Check kernel capabilities:

uname -r
zgrep CONFIG_SYN_COOKIES /proc/config.gz
zgrep CONFIG_NFQUEUE /proc/config.gz

Understanding DDoS Attacks

Common DDoS attack types and their characteristics:

  1. SYN Flood: Attacker sends many SYN packets without completing handshake
  2. UDP Flood: Massive volume of UDP packets to saturate bandwidth
  3. HTTP Flood: Application-level attacks with legitimate-looking requests
  4. DNS Amplification: Exploits DNS servers to amplify traffic
  5. ICMP Flood: Overwhelming ICMP echo requests (ping)

SYN cookies prevent SYN flood attacks by using clever cryptography to avoid storing half-open connections.

Enable SYN cookies:

sudo sysctl -w net.ipv4.tcp_syncookies=1

Verify it's enabled:

cat /proc/sys/net/ipv4/tcp_syncookies

Make it permanent:

sudo nano /etc/sysctl.conf

Add or uncomment:

net.ipv4.tcp_syncookies = 1

Apply:

sudo sysctl -p

Configure SYN flood protection parameters:

sudo sysctl -w net.ipv4.tcp_syn_retries=2
sudo sysctl -w net.ipv4.tcp_synack_retries=2
sudo sysctl -w net.ipv4.tcp_max_syn_backlog=4096

Persistent settings:

net.ipv4.tcp_syn_retries = 2
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_max_syn_backlog = 4096

Monitor SYN attacks:

watch -n 1 'netstat -an | grep SYN_RECV | wc -l'

Check connection states:

ss -s

Shows TCP connection statistics including SYN_RECV count.

Connection Limits

Limit concurrent connections per IP address to mitigate volumetric attacks.

Set maximum connections per IP:

sudo sysctl -w net.ipv4.tcp_max_tw_buckets=2000000
sudo sysctl -w net.core.somaxconn=16384
sudo sysctl -w net.ipv4.tcp_fin_timeout=30
sudo sysctl -w net.ipv4.tcp_tw_reuse=1

Persistent configuration:

net.ipv4.tcp_max_tw_buckets = 2000000
net.core.somaxconn = 16384
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 0  # Better than tcp_tw_recycle

Disable IPv6 if not needed (reduces attack surface):

sudo sysctl -w net.ipv6.conf.all.disable_ipv6=1
sudo sysctl -w net.ipv6.conf.default.disable_ipv6=1

Limit ICMP echo requests to prevent ICMP floods:

sudo sysctl -w net.ipv4.icmp_echo_ignore_all=0  # Enable below settings first
sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
sudo sysctl -w net.ipv4.conf.all.rp_filter=1
sudo sysctl -w net.ipv4.conf.default.rp_filter=1

Monitor connection statistics:

watch -n 1 'ss -s'

Check TIME_WAIT connections:

netstat -an | grep TIME_WAIT | wc -l
ss -tan | grep TIME_WAIT | wc -l

iptables Rate Limiting

Use iptables hashlimit module for sophisticated rate limiting.

Install iptables if needed:

sudo apt-get install -y iptables

Create a hashlimit rule to limit connections per IP:

sudo iptables -A INPUT -p tcp --dport 80 -m hashlimit --hashlimit 50/minute --hashlimit-burst 100 --hashlimit-mode srcip --hashlimit-name http-limit -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 80 -j DROP

Limit SSH connections:

sudo iptables -A INPUT -p tcp --dport 22 -m hashlimit --hashlimit 5/minute --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name ssh-limit -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 22 -j DROP

Create HTTPS rate limit:

sudo iptables -A INPUT -p tcp --dport 443 -m hashlimit --hashlimit 50/minute --hashlimit-burst 100 --hashlimit-mode srcip --hashlimit-name https-limit -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j DROP

Rate limit DNS queries:

sudo iptables -A INPUT -p udp --dport 53 -m hashlimit --hashlimit 100/second --hashlimit-burst 200 --hashlimit-mode srcip --hashlimit-name dns-limit -j ACCEPT
sudo iptables -A INPUT -p udp --dport 53 -j DROP

Block ICMP floods:

sudo iptables -A INPUT -p icmp -m hashlimit --hashlimit 5/second --hashlimit-burst 10 --hashlimit-mode srcip -j ACCEPT
sudo iptables -A INPUT -p icmp -j DROP

Limit new connections globally:

sudo iptables -I INPUT -p tcp --dport 80 -m state --state NEW -m recent --set
sudo iptables -I INPUT -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 60 --hitcount 60 -j DROP

View loaded hashlimit rules:

sudo iptables -L -n
sudo iptables -t mangle -L -n

Save rules:

sudo iptables-save > /etc/iptables/rules.v4

nftables Configuration

Use nftables (successor to iptables) for advanced DDoS protection.

Create nftables rules:

sudo nano /etc/nftables.conf

Complete DDoS protection ruleset:

#!/usr/bin/nft -f

flush ruleset

table inet filter {
  chain input {
    type filter hook input priority 0;
    
    # Allow established and related
    ct state established,related accept
    
    # Allow loopback
    iifname lo accept
    
    # Drop invalid
    ct state invalid drop
    
    # SYN flood protection
    tcp flags syn / syn,ack counter jump syn-flood
    
    # UDP flood protection
    udp dport { 53, 123 } limit rate 100/second accept
    udp dport { 53, 123 } drop
    
    # ICMP flood protection
    icmp type echo-request limit rate 4/second accept
    icmp type echo-request drop
    
    # SSH rate limit
    tcp dport 22 limit rate 5/minute accept
    tcp dport 22 drop
    
    # HTTP(S) rate limit
    tcp dport { 80, 443 } limit rate 50/minute accept
    tcp dport { 80, 443 } drop
    
    # DNS amplification protection
    ip protocol udp ip daddr 127.0.0.1 reject
  }
  
  chain syn-flood {
    # Allow 5 SYN per second
    limit rate 5/second accept
    drop
  }
  
  chain forward {
    type filter hook forward priority 0;
    accept
  }
  
  chain output {
    type filter hook output priority 0;
    accept
  }
}

Apply nftables:

sudo nft -f /etc/nftables.conf

Enable nftables service:

sudo systemctl enable nftables
sudo systemctl start nftables

View rules:

sudo nft list ruleset

Monitor hits:

sudo nft list ruleset -a

Kernel Tuning

Optimize kernel parameters for DDoS resilience.

Create comprehensive tuning configuration:

sudo nano /etc/sysctl.d/99-ddos-protection.conf

Content:

# SYN Flood Protection
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_syn_retries = 2
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_max_syn_backlog = 4096

# Connection handling
net.core.somaxconn = 16384
net.ipv4.tcp_max_tw_buckets = 2000000
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_tw_reuse = 1

# IP forwarding security
net.ipv4.ip_forward = 0
net.ipv4.conf.all.forwarding = 0
net.ipv4.conf.default.forwarding = 0

# ICMP handling
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv6.conf.all.disable_ipv6 = 1

# Reverse path filtering
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Disable source packet routing
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0

# Disable ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0

# TCP hardening
net.ipv4.tcp_timestamps = 1
net.ipv4.tcp_sack = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_congestion_control = bbr

# Network buffer tuning
net.core.rmem_max = 134217728
net.core.wmem_max = 134217728
net.ipv4.tcp_rmem = 4096 87380 67108864
net.ipv4.tcp_wmem = 4096 65536 67108864
net.ipv4.udp_mem = 8388608 12582912 16777216

Apply settings:

sudo sysctl -p /etc/sysctl.d/99-ddos-protection.conf

Verify settings:

sudo sysctl -a | grep -E "syn|backlog|somaxconn|fin_timeout|tw_"

Application-Level Protection

Implement web server-level DDoS protection.

Configure Nginx rate limiting:

sudo nano /etc/nginx/nginx.conf

Add rate limiting:

# Define rate limit zones
limit_req_zone $binary_remote_addr zone=one:10m rate=10r/s;
limit_req_zone $binary_remote_addr zone=guarded:10m rate=1r/s;
limit_conn_zone $binary_remote_addr zone=connections:10m;

server {
    listen 80;
    server_name example.com;
    
    # Apply rate limiting
    limit_req zone=one burst=20 nodelay;
    limit_conn connections 10;
    
    # Mitigate slow attack
    client_max_body_size 10m;
    client_body_timeout 10s;
    client_header_timeout 10s;
    
    location /api {
        limit_req zone=guarded burst=5;
    }
}

Configure Apache rate limiting:

sudo nano /etc/apache2/mods-enabled/ratelimit.conf

Content:

<IfModule mod_ratelimit.c>
    # Rate limit bandwidth
    <Location /api>
        SetOutputFilter RATE_LIMIT
        ModRateLimit On
        ModRateLimit ratio=1000
    </Location>
</IfModule>

Monitoring and Detection

Monitor for DDoS attacks in real-time.

Monitor network connections:

# Watch connection states
watch -n 1 'netstat -an | grep -E "ESTABLISHED|SYN_RECV|TIME_WAIT" | wc -l'

# Show top sources
netstat -an | grep ESTABLISHED | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -rn | head -20

# Monitor bandwidth usage
iftop -n
nethogs

Check attack indicators:

# High SYN_RECV indicates SYN flood
netstat -an | grep SYN_RECV | wc -l

# High connections from single IP
netstat -an | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -rn | head -10

# Monitor UDP traffic
netstat -an | grep udp

Use tools for monitoring:

# Install monitoring tools
sudo apt-get install -y iftop nethogs vnstat

# Monitor real-time traffic
sudo iftop
sudo nethogs

# View traffic history
vnstat -h

Log suspicious activity:

# Monitor firewall logs
sudo tail -f /var/log/kern.log | grep DROP

# Count dropped packets
grep DROP /var/log/syslog | wc -l

Advanced Mitigation

Implement advanced DDoS mitigation techniques.

Use traffic shaping to prioritize legitimate traffic:

sudo tc qdisc add dev eth0 root tbf rate 1gbit burst 32kbit latency 400ms

Implement CAKE (Common Applications Kept Enhanced) qdisc:

sudo tc qdisc add dev eth0 root cake bandwidth 1gbit diffserv4

Configure fail2ban for attack IPs:

sudo nano /etc/fail2ban/jail.d/ddos-protection.local

Content:

[ddos-filter]
enabled = true
port = http,https
filter = ddos-detection
logpath = /var/log/nginx/access.log
maxretry = 100
findtime = 60
bantime = 3600
action = iptables-multiport[name=DDoS, port="http,https"]

Use WAF (Web Application Firewall) like ModSecurity:

sudo apt-get install -y libapache2-mod-security2
sudo a2enmod security2

Conclusion

DDoS protection requires a multi-layered approach combining kernel tuning, firewall rules, application-level limits, and monitoring. By following this guide, you've implemented SYN cookie protection for SYN floods, configured connection limits, deployed hashlimit rules with iptables, created advanced nftables rulesets, tuned kernel parameters for resilience, implemented application-level rate limiting, and established monitoring for attack detection. Regular updates and parameter tuning ensure effectiveness against evolving attack vectors. Whether protecting small services or large infrastructure, proper DDoS mitigation significantly reduces attack impact and maintains service availability.