1. Find.. to which IP address in the server is targeted by the ddos attack

netstat -plan  | grep  :80 | awk ‘{print $4}’ | cut -d: -f1 |sort |uniq -c

2. Find… from which IPs, the attack is coming

netstat -plan  | grep  :80 | awk ‘{print $5}’ | cut -d: -f1 |sort |uniq -c

3. Then find the TTL values of the attacking IP addresses

tcpdump -nn -vvv host xxxx |grep yyy (xxxx = ip attacking and yyyy = ip being attacked)

usually we need only tcpdump -nn -vvv host xxxx (as attack is coming from numerous ips)

4. Now block all the ips matching the TTL value obtained from the above script

iptables -A INPUT -p tcp -s -d yyyy -m ttl –ttl-eq=zzz -j DROP (zzz is the ttl value)


Install mod security and dos evasive


Harden the sysctl parameters (kernel params) to mitigate the current attack.

Increasing the backlog queue size and decreasing the backlog queuing time might help a bit.


Also install an open source script to prevent DDoS attack to certain extend.

MediaLayer was in need of a script to automatically mitigate (D)DoS attacks. The necessity started when MediaLayer was the target of a rather large, consistent attack originating from multiple IP addresses. Each IP would have a large amount of connections to the server, as shown as by:

netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

It became a general practice for us to be blocking IPs with a large amount of connections, but we wanted to get this automated. Zaf created a script mitigate this kind of attack. We kept improving it to meet our own needs and eventually posted it on Defender Hosting’s Forum. (D)DoS-Deflate is now recognized as one of the best ways to block a (D)DoS attack at the software level.

License Agreement

You can view a copy of the license agreement here.


wget http://www.inetbase.com/scripts/ddos/install.sh
chmod 0700 install.sh


wget http://www.inetbase.com/scripts/ddos/uninstall.ddos
chmod 0700 uninstall.ddos

Reference : http://deflate.medialayer.com/