1. Find.. to which IP address in the server is targeted by the ddos attack

netstat -plan  | grep  :80 | awk ‘{print $4}’ | cut -d: -f1 |sort |uniq -c

2. Find… from which IPs, the attack is coming

netstat -plan  | grep  :80 | awk ‘{print $5}’ | cut -d: -f1 |sort |uniq -c

3. Then find the TTL values of the attacking IP addresses

tcpdump -nn -vvv host xxxx |grep yyy (xxxx = ip attacking and yyyy = ip being attacked)

usually we need only tcpdump -nn -vvv host xxxx (as attack is coming from numerous ips)

4. Now block all the ips matching the TTL value obtained from the above script

iptables -A INPUT -p tcp -s 0.0.0.0/0 -d yyyy -m ttl –ttl-eq=zzz -j DROP (zzz is the ttl value)

——————————————————————————————————————-

Install mod security and dos evasive

——————————————————————————————————————-

Harden the sysctl parameters (kernel params) to mitigate the current attack.

Increasing the backlog queue size and decreasing the backlog queuing time might help a bit.

——————————————————————————————————————-

Also install an open source script to prevent DDoS attack to certain extend.
http://deflate.medialayer.com/

MediaLayer was in need of a script to automatically mitigate (D)DoS attacks. The necessity started when MediaLayer was the target of a rather large, consistent attack originating from multiple IP addresses. Each IP would have a large amount of connections to the server, as shown as by:

netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

It became a general practice for us to be blocking IPs with a large amount of connections, but we wanted to get this automated. Zaf created a script mitigate this kind of attack. We kept improving it to meet our own needs and eventually posted it on Defender Hosting’s Forum. (D)DoS-Deflate is now recognized as one of the best ways to block a (D)DoS attack at the software level.

License Agreement

You can view a copy of the license agreement here.

Installation

wget http://www.inetbase.com/scripts/ddos/install.sh
chmod 0700 install.sh
./install.sh

Uninstalling

wget http://www.inetbase.com/scripts/ddos/uninstall.ddos
chmod 0700 uninstall.ddos
./uninstall.ddo

Reference : http://deflate.medialayer.com/