How to block Denial of Service (DoS) with null route

server high load

This article is described how I find out the Denial of Service (DoS) IP and null route it, to solve the high load issue on my server.

1. High Load

Recently, the server has hit an abnormally high load, CPU usage hits, average 15-20%.


#top

load average: 15.08, 18.30, 20.63

2. Who is Connected?

Not sure if this a DOS attack, or just a single IP abuse the connection? Issue following command to list all the IP addresses connected to my server.


#netstat -tn 2>/dev/null | grep :80 | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr | head

     215 122.163.226.243
     189 114.198.236.100
     156 120.63.179.245
     38 141.0.9.20
     37 49.248.0.2
     37 153.100.131.12
     31 223.62.169.73
     30 65.248.100.253
     29 203.112.82.128
     29 182.19.66.187

Below 3 IPs are taking 150+ connections, which is really abnormal, what are they trying to do?


 215 122.163.226.243
 189 114.198.236.100
 156 120.63.179.245

P.S Google above IPs, 2 are from India, 1 from Pakistan.

3. null route

I believed above 3 IPs are the root cause of the high load issue, let null route those IPs, so that all incoming connections from those 3 IPs will be dropped or ignored.

null route command


route add 122.163.226.243 gw 127.0.0.1 lo
route add 114.198.236.100 gw 127.0.0.1 lo
route add 120.63.179.245 gw 127.0.0.1 lo
Alternative Command
You can also use following command to null route the IPs, both are doing the same thing.


route add -host 122.163.226.243 reject
route add -host 114.198.236.100 reject
route add -host 120.63.179.245 reject

Uses netstat -nr to display all the routes, to make sure it is added into the route table.


# netstat -nr
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
114.198.236.100 127.0.0.1       255.255.255.255 UGH       0 0          0 lo
120.63.179.245  127.0.0.1       255.255.255.255 UGH       0 0          0 lo
122.163.226.243 127.0.0.1       255.255.255.255 UGH       0 0          0 lo

Done, wait a few seconds, and check the server load again, it’s back to normal now.


#top

load average: 1.08, 5.30, 30.63

Check all connected IP again, those attacker’s IPs are gone:


#netstat -tn 2>/dev/null | grep :80 | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr | head

     40 141.0.9.20
     37 49.248.0.2
     36 153.100.131.12
     31 223.62.169.73
     25 65.248.100.253
     29 203.112.82.128
     29 182.19.66.187
     38 142.0.9.20
     28 141.121.9.20
     38 141.0.9.201

Done.

4. Delete null route

To delete existing null route IPs, uses route delete.


route delete 122.163.226.243
route delete 114.198.236.100
route delete 120.63.179.245
CSF Firewall
To prevent Denial of Service (DoS), try setup CSF and configure the CT_LIMIT to limit the number of connections from IP to access server.

References

  1. null route in wikipedia
  2. List all IP addresses connected to server
  3. Basic DoS/DDoS Mitigation with the CSF Firewall

About the Author

author image
mkyong
Founder of Mkyong.com, love Java and open source stuff. Follow him on Twitter, or befriend him on Facebook or Google Plus. If you like my tutorials, consider make a donation to these charities.

Comments

avatar
7 Comment threads
1 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
6 Comment authors
amit bhattTeeriqCSF – How to limit the number of connections per IP addressFerdianMoshe Recent comment authors
newest oldest most voted
trackback
CSF – How to limit the number of connections per IP address

[…] To stop the Denial of Service (DoS) attack immediately, read this null route […]

amit bhatt
Guest
amit bhatt

what if i would like add them permanently in my route file ….what would be syntax then

Teeriq
Guest
Teeriq

I really like this, it is a very clear and has concise execution. Do you know of any way to possibly do this from within the spring platform itself?

Ferdian
Guest
Ferdian

Thank you for this wonderful and clear instruction how to null ddos attackers. Good job!

Moshe
Guest
Moshe

absolutely brilliant! I’ll have to remember how to get to this page when I’ll need it…

Juan Carlos
Guest
Juan Carlos

This is wonderful idea. Very simple to implement in a script. In my case, my http servers are behind a F5 load balancer. Thus, connections are established, at operating system level, from the load balancer and not from the real client. Is there any way to get the real client IP with netstat command?

BR

trackback
List all IP addresses connected to your Server

[…] command is useful to detect if your server is under attack, and null route those IPs. Read this null route attacker IP […]