How to set up defense against DDoS attacks on Linux

How to set up defense against DDoS attacks on Linux

With the rapid development of the Internet, network security threats are also increasing. One of the common attack methods is a distributed denial of service (DDoS) attack. DDoS attacks are designed to overload a target network or server so that it cannot function properly. On Linux, there are some measures we can take to defend against this attack. This article will introduce some common defense strategies and provide corresponding code examples.

1. Limit connection speed
   DDoS attacks usually tend to exhaust system resources through a large number of connection requests. We can use the iptables tool to limit the connection speed of a single IP address. The code example below will allow up to 10 new connections per second, connections above this speed will be dropped.

iptables -A INPUT -p tcp --syn -m limit --limit 10/s --limit-burst 20 -j ACCEPT
iptables -A INPUT -p tcp --syn -j DROP

2. Using SYN cookies
   SYN flooding attacks in DDoS attacks are a common way to consume system resources by exploiting vulnerabilities in the TCP three-way handshake protocol. The Linux kernel provides a SYN cookies mechanism to defend against this attack. With SYN cookies enabled, the server will not consume too many resources when processing connection requests. The following code example demonstrates how to enable SYN cookies.

echo 1 > /proc/sys/net/ipv4/tcp_syncookies

3. Reinforce the operating system
   In order to defend against DDoS attacks, we need to ensure the security of the operating system. This includes updating the operating system and installing the latest security patches, disabling unnecessary services and ports, configuring file system protection, and more. The following code example shows how to disable unnecessary services.

# 停止服务
service <service_name> stop
# 禁止服务开机自启
chkconfig <service_name> off

4. Using a firewall
   The firewall is the first line of defense for our system, which can limit external access and filter malicious traffic. On Linux, iptables is a powerful firewall tool. The following code example shows how to configure iptables to block access from specific IP addresses.

iptables -A INPUT -s <IP_address> -j DROP

5. Using a reverse proxy
   A reverse proxy server can help us spread the traffic and direct the traffic to multiple servers, thereby reducing the load on a single server. Common reverse proxy servers include Nginx and HAProxy. The code example below shows how to use Nginx for reverse proxy configuration.

http {
  ...
  upstream backend {
    server backend1.example.com;
    server backend2.example.com;
    server backend3.example.com;
  }

  server {
    listen 80;
    location / {
      proxy_pass http://backend;
    }
  }
}

Summary
We can effectively defend against DDoS attacks on Linux systems by limiting connection speeds, using SYN cookies, hardening the operating system, using firewalls, and using reverse proxies. However, a single defense measure cannot completely solve such attacks, so it is recommended to adopt a combination of multiple strategies to improve system security.

The above is the detailed content of How to set up defense against DDoS attacks on Linux. For more information, please follow other related articles on the PHP Chinese website!