TASSTA Documentation Center TASSTA Documentation Center More products
Hide table of contents Hide details Search My account

Mitigating DoS attacks

Denial of service (DoS) is a very common type of attacks that can render a server inaccessible or severely limit the connectivity until the issue is mitigated. Typical DoS attack is performed by flooding the target server with traffic from a single IP address. Though it rarely results in the theft or data loss, this attack can result in mobile clients and dispatchers being unable to communicate with each other.

This topic describes a basic DoS attack detection and mitigation scenario. The commands below must be run on the server where T.Lion and related services are deployed.

Important:

You will need root privileges on the server.

What you will need

To find out what IP addresses are currently connected to your T.Lion server, use netstat tool, which is a part of net-tools utilities package. To install netstat on Debian 9, issue the following command:

sudo apt install net-tools

To check the network traffic and bandwidth usage, use nload utility. To install nload on Debian 9, issue the following command:

sudo apt install nload

Checking the network load

Simply run nload command. You should see details on incoming and outgoing network load. You you find out unexpectedly high incoming load, you might be under attack.

Finding out IP addresses connected to your server

Use netstat tool:

netstat -ntu|awk '{print $5}'|cut -d: -f1 -s|sort|uniq -c|sort -nk1 -r

The output of this command will list each IP address connected to the server and the number of instances from each address. If you see an IP address with an extremely large number of instances, the chances are pretty high that the address is your culprit.

Blocking the attacker address

If you suspect that the IP address found in the previous step belongs to an attacker, ban it with the following command:

sudo route add <IP address> reject

Then re-check network load and connected IP addresses. If the attack is mitigated, it is recommended to permanently block this IP address on the firewall.