How to control DDoS attacks using Config Server Firewall

You are here:
Estimated reading time: 2 min

I would like to share some quick tips to control : One common type of cyber threat, DDos. Which stands for Distributed Denial of Service, It is an attempt to make an online service unavailable by traffic flooding from multiple sources. This makes it impossible to stop the attack by blocking a single IP and also it is difficult to find out the legitimate user from the traffic.
Unlike a Denial of Service (DoS) attack, in which a single Internet-connected device (one network connection) is used to flood targeted resource with packets, a DDoS attack is launched from numerous compromised devices, often distributed globally in what is referred to as a botnet.
Please note : Any measures employed within CSF will be effective only against small attacks, and measures should be implemented in CSF only while the server is under attack.

Controlling DDoS attack using CSF:

Fortunately, CSF can be used to help mitigate small attacks. Most of the cPanel servers will use Config Server Firewall(CSF) settings to prevent their servers. Config Server Firewall is abbreviated as CSF. CSF is the most commonly using firewall application to secure Linux servers. CSF has wide range of options to manage Linux firewall via comman-line and from the control panel.
Here, I am going to provide some steps to manage a DDoS attack by tweaking the features in the CSF settings.

To check server is under DDoS attack:

You can run the below commands to check whether the server is under attack or not.

To show number of connections and IP address

netstat -alpn | grep :80 | awk ‘{print $4}’ |awk -F: ‘{print $(NF-1)}’ |sort | uniq -c | sort -n
If the server has more IP address configured in it, then the above result will help you to find which server IP is under attack.

For example, if the result is huge such as 1000, then you can suppose that the server is under DDoS attack

Assumes you have the ConfigServer Firewall (CSF) installed on your cPanel server.

Tweaking the CSF settings:

  1. SSH to server as root user and open CSF config file.

    vi /etc/csf/csf.conf

  2. Restricting number of simultaneous connections

    from a single IP would be quite effective in managing DDOS attacks. So reduce the value of CT_Limit to a reasonable range . Here I am changing it to 50
    It means that the maximum number of connections from an IP is 50. However the value is not an arbitrary one, you should change the value in accordance with your settings.

  3. Change the connection tracking interval CT_INTERVAL

    Here, the connection tracking value is set to 30 seconds which is recommendable. If you decrease the interval to some lower value, then there will be a chance to generate false positives and will block legit connections.

  4. To enable protection for particular port,

    you can specify them in the configuration variable ‘CT_PORTS’. For eg. In majority of the cases DDOS will be targeted to webserver and DNS server. So the port numbers to be specified during such instances for a default installation are 80 and 53.

    In the below example I am tweaking the protection for webserver both for normal and ssl connections

  5. By default, SYNFLOOD (SYNFLOOD = “0”) is disabled in CSF.

    If the server is under SYNFLOOD attack, you make it enable temporarily as below.
    SYNFLOOD = “1″
    SYNFLOOD_RATE = “30/s”
    If 30 connections are received from an IP/sec for 30 times, then it will block the concern IP. You can adjust the SYNFLOOD_BURST rate depends on your server.

  6. You can set limit for the number of connections

    to particular port by altering the value “CONLIMIT”.
    CONNLIMIT = 80;20,443;15
    The above value will limit only 20 connections to the port 80 and 15 connections to the port 443 from single IP

  7. Now the modifications are complete.

    In order to make them effective, we need to restart the CSF service with the new configuration parameters.
    /etc/init.d/csf restart
    csf -r

That’s it, hope I am able to provide few tips to remember with CSF settings when your server is under DDos attack.

Was this article helpful?
Dislike 0
Views: 5

Sign up for our newsletter

Questions? 08-111-8888-32


Footer Bottom
Footer Bottom



Hosting Indonesia

Berbagai pilihan Hosting Indonesia dengan dukungan infrastruktur Cloud, SSD super cepat, serta teroptimasi dengan tingkat keamanan tinggi. Penyedia web Hosting Indonesia terbaik dengan pengalaman lebih dari 7 tahun membuat kami menjadi salah satu yang terbaik di industri hosting di Indonesia.

Layanan Registrasi Domain Murah

DEOHosting menyediakan layanan registrasi nama domain murah indonesia dan Internasional dengan harga terjangkau dan bersaing. Didukung dengan fitur aktivasi instan kurang dari 5 menit untuk membantu anda mewujudkan website dengan nama domain anda sendiri, kami memberikan fasilitas Managed DNS dan domain forwarding sehingga memungkinkan domain dapat diarahkan ke alamat URL lain.

Hosting Indonesia Terbaik

Berdiri di tahun 2011, DEOHosting merupakan penyedia layanan web Hosting Indonesia Terbaik yang berfokus terhadap kualitas layanan dengan harga terjangkau dan didukung data center terbaik di LONDON. Kami mengimplementasikan Content Delivery Network untuk akses super cepat dan stabil sebagai upaya kami untuk memberikan layanan Cloud Hosting Indonesia Terbaik.

Jual Hosting dan Beli Hosting

Kami menjual Hosting Murah yang dilengkapi dengan fitur Instant Deploy yang menginstall berbagai CMS secara otomatis dan instan saat aktivasi akun hosting. Beli paket DEO Hosting sesuai dengan kebutuhan anda, dan nikmati kemudahan yang diberikan oleh layanan yang akan anda dapatkan. Garansi 40 hari uang kembali apabila anda tidak puas dengan layanan kami.