Usually when attack is in progress, one hardly can access the server to work with it. In such case, contact your server provider to mitigate the attack. In case you can access it, there are some tips what you can do:

1) temporarilly stop httpd (webserver) and mysqld (database server) service (example: service httpd stop;service mysqld stop) to see if server load decrease (command: w). Then checking server logs in /var/log directory (cd /var/log;ls -lht)

logs can be checked using command "tail"

tail logfilename
tail -n30 logfilename (last 30 lines of the file)
tail -f logfilename (shows the live output)

2) discover which IPs / IP ranges hitting Your server and which port is affected

To find out bad attacking IPs, it may help to do the command:

netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
it will show IPs and number of their connections. >50 connections by single IP on a webserver starting to be alot..

details of an IP with many connections: whois IPADDRESSHERE

Second command is to show number of connections per linux port/service:

netstat -tuna | awk -F':+| +' 'NR>2{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
this way one can try to disable service which listen to the port with most connections and then study logs
example port 80 has 12000 connections, stop httpd service (service httpd stop or /etc/init.d/httpd stop)

3) Block bad IPs / IP ranges in firewall:

BAN in iptables
iptables -I INPUT -s 1.2.3.4 -j DROP (-I = insert IP, ban IP in this case)
UNBAN from iptables
iptables -D INPUT -s 1.2.3.4 -j DROP (-D = delete IP from iptables, allow in this case)

Other low importance (time waste) step:
You can also add bad IPs to your websites .htaccess file to prevent website based attacks (but this is usually not much efficient):

.htaccess :
order allow,deny
deny from 1.2.3.3
deny from 8.7.4
allow from all
you may also add file caching rules into .htaccess like:


#3 Remove ETags
Header unset ETag
FileETag None

# 480 weeks
<FilesMatch "\.(ico|pdf|flv|jpg|jpeg|png|gif|js|css|swf)$" >
Header set Cache-Control "max-age=290304000, public"
</FilesMatch>

# 2 DAYS
<FilesMatch "\.(xml|txt)$">
Header set Cache-Control "max-age=172800, public, must-revalidate"
</FilesMatch>

# 2 HOURS
<FilesMatch "\.(html|htm)$">
Header set Cache-Control "max-age=7200, must-revalidate"
</FilesMatch>
(but these dont prevent DDoS, rather decrease server load sligtly in some cases)


4) Install 3 softwares to automate blocking of bad IPs

Low size attacks can be denied/IP blocked automatically by 3 software traffic/log monitors (CSF/LFD, DDoS Deflate and Fail2Ban), i have them all at once on some server:

- install DDoS Deflate, here is the install guide for DDoS Deflate: http://internetlifeforum.com/security-protection/1132-how-manage-ddos-deflate-deny-ddos-attack/#post1675

- Next thing to install is Config Server Firewall, read Config Server Firewall installation guide here: http://internetlifeforum.com/security-protection/462-tutorial-installing-csf-config-server-firewall-linux/

- Third mitigation anti DDoS software for Linux is Fail2Ban. Read quick installation guide: http://internetlifeforum.com/security-protection/1136-installing-fail2ban-linux-prevent-various-bad-bots-attacks-bruteforce/#post1688

If You have any good ideas to enhance this tutorial, please kindly share, thanks