Mastering DDoS Attack Mitigation: 50 Essential Commands for Prevention and Defense (Part 3)

These commands, combined with the previously mentioned ones, offer a comprehensive toolkit for preventing and stopping DDoS attacks at the application layer. Implementing these commands and adopting a proactive defense approach will enhance your network security and resilience against DDoS threats. Remember to regularly monitor logs, analyze traffic patterns, and adjust your defense mechanisms as needed to stay one step ahead of potential attacks.

1. iptables -A INPUT -p tcp --dport 80 -m connlimit --connlimit-above <num> -j DROP: Limits the number of simultaneous connections to port 80, preventing connection exhaustion attacks.
2. fail2ban-client set <jail> addignoreip <IP>: Adds an IP address to the ignore list of Fail2Ban, preventing it from blocking legitimate traffic from that IP.
3. ufw limit <port>/tcp: Configures rate limiting using UFW on a specific port to protect against SYN flood attacks.
4. nginx -t: Verifies the syntax of Nginx configuration files to ensure correct configuration before applying changes.
5. apache2ctl configtest: Checks the syntax of Apache configuration files for errors before reloading the web server.
6. tail -f /var/log/httpd/access_log: Displays real-time updates of the Apache access log, allowing immediate monitoring of incoming HTTP requests.
7. tcpdump -i eth0 -n 'tcp[13] & 2 != 0': Captures only SYN packets to identify potential SYN flood attacks on the network interface eth0.
8. curl -I <URL>: Retrieves HTTP response headers for a specific URL, helping diagnose potential server misconfigurations or unusual responses.
9. iftop -i eth0: Monitors network traffic on the interface eth0 in real-time, providing insights into bandwidth usage and identifying abnormal traffic patterns.
10. netstat -an | grep :443 | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr: Shows the number of active connections to port 443 and lists the IP addresses with the highest connection count, allowing identification of potential DDoS sources.
11. mod_evasive: Apache module that provides basic protection against DDoS attacks by detecting and blocking suspicious requests from specific IP addresses.
12. iptables -A INPUT -p tcp --dport <port> -m recent --set: Sets up iptables to track packets from a specific port and mark them as recent.
13. fail2ban-client status: Displays the status of Fail2Ban, showing banned IPs and the jails in effect.
14. ufw deny from <IP>: Blocks incoming traffic from a specific IP address using UFW.
15. nginx -s reload: Reloads the Nginx configuration to apply changes without interrupting active connections.
16. apache2ctl graceful: Gracefully restarts the Apache web server, allowing active connections to complete before the restart.
17. tail -f /var/log/nginx/access.log: Monitors the Nginx access log in real-time to observe incoming requests and identify suspicious activity.
18. tcpdump -i eth0 -n 'udp': Captures UDP packets on the eth0 interface, useful for monitoring UDP-based attacks.
19. curl -L <URL>: Follows redirects and retrieves the final destination URL, helping analyze potential URL-based attacks.
20. iftop -F <filter>: Monitors network traffic on the specified interface, filtered by the provided criteria, allowing focused analysis.
21. netstat -s | grep "failed connection attempts": Checks the number of failed connection attempts, which may indicate attempted DDoS attacks.
22. iptables -A INPUT -p tcp --dport <port> -m state --state NEW -m recent --update --seconds <seconds> --hitcount <count> -j DROP: Drops packets if
23. iptables -A INPUT -p tcp --dport <port> -m state --state NEW -m recent --update --seconds <seconds> --hitcount <count> -j DROP: Drops packets if the number of new TCP connections to a specific port exceeds a certain threshold within a specified time frame, protecting against connection-based DDoS attacks.
24. grep "POST" /var/log/httpd/access_log | awk '{print $1}' | sort | uniq -c | sort -nr: Analyzes the Apache access log to count the number of POST requests from unique IP addresses, helping identify potential HTTP-based attacks.
25. ss -antp: Displays all established TCP connections along with the associated processes, allowing you to identify suspicious connections and their associated services.
26. netstat -s | grep "segments dropped": Checks for dropped network segments, which could indicate network saturation or congestion caused by a DDoS attack.
27. tail -f /var/log/nginx/error.log: Monitors the Nginx error log in real-time to identify any abnormal errors or warnings that may result from a DDoS attack.
28. ipset create blacklist hash:ip hashsize 4096: Creates an IPset blacklist to store IP addresses to be blocked, providing a scalable solution for blocking malicious IPs.
29. iptables -A INPUT -m set --match-set blacklist src -j DROP: Drops traffic from IP addresses present in the IPset blacklist, effectively blocking known malicious IPs.
30. sysctl -w net.ipv4.tcp_max_syn_backlog=<value>: Adjusts the maximum number of pending TCP SYN requests to mitigate SYN flood attacks by limiting the backlog size.
31. curl -X GET --header "X-Forwarded-For: <IP>" <URL>: Sends an HTTP GET request to a URL with a specified client IP address in the X-Forwarded-For header, useful for testing DDoS protection measures.
32. iftop -B: Enables the display of traffic bandwidth rates in bytes rather than bits in the iftop command output, providing a more intuitive representation of network traffic.
33. iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit <rate> -j ACCEPT: Sets a rate limit for incoming ICMP echo requests (ping) to prevent ICMP flood attacks.
34. tcpdump -i eth0 -n 'icmp': Captures ICMP packets on the eth0 interface, allowing analysis of ICMP-based attacks.
35. mod_evasive: Apache module that provides protection against DDoS attacks by detecting and blocking suspicious requests from specific IP addresses.
36. iptables -A INPUT -p tcp --dport <port> -m recent --set: Sets up iptables to track packets from a specific port and mark them as recent.
37. fail2ban-client status: Displays the status of Fail2Ban, showing banned IPs and the jails in effect.
38. ufw deny from <IP>: Blocks incoming traffic from a specific IP address using UFW.
39. nginx -s reload: Reloads the Nginx configuration to apply changes without interrupting active connections.
40. apache2ctl graceful: Gracefully restarts the Apache web server, allowing active connections to complete before the restart.
41. tail -f /var/log/nginx/access.log: Monitors the Nginx access log in real-time to observe incoming requests and identify suspicious activity.
42. tcpdump -i eth0 -n 'udp': Captures UDP packets on the eth0 interface, useful for monitoring UDP-based attacks.
43. curl -L <URL>: Follows redirects and
44. curl -L <URL>: Follows redirects and retrieves the final destination URL, helping analyze potential URL-based attacks.
45. iftop -F <filter>: Monitors network traffic on the specified interface, filtered by the provided criteria, allowing focused analysis.
46. netstat -s | grep "failed connection attempts": Checks the number of failed connection attempts, which may indicate attempted DDoS attacks.
47. iptables -A INPUT -p tcp --dport <port> -m state --state NEW -m recent --update --seconds <seconds> --hitcount <count> -j DROP: Drops packets if the number of new TCP connections to a specific port exceeds a certain threshold within a specified time frame, protecting against connection-based DDoS attacks.
48. grep "POST" /var/log/httpd/access_log | awk '{print $1}' | sort | uniq -c | sort -nr: Analyzes the Apache access log to count the number of POST requests from unique IP addresses, helping identify potential HTTP-based attacks.
49. ss -antp: Displays all established TCP connections along with the associated processes, allowing you to identify suspicious connections and their associated services.
50. netstat -s | grep "segments dropped": Checks for dropped network segments, which could indicate network saturation or congestion caused by a DDoS attack.
51. tail -f /var/log/nginx/error.log: Monitors the Nginx error log in real-time to identify any abnormal errors or warnings that may result from a DDoS attack.
52. ipset create blacklist hash:ip hashsize 4096: Creates an IPset blacklist to store IP addresses to be blocked, providing a scalable solution for blocking malicious IPs.

Please Read (Part 1) & (Part 2) if you missed it.

So, if you find our content valuable, insightful, or enjoyable, please take a moment to give us (10) Ten Claps. Your contribution means a lot to us and will go a long way in encouraging and motivating our team to continue delivering high-quality content that benefits our community.