Advanced DDoS Protection Strategies for Linux Servers

Advanced DDoS Protection Strategies for Linux Servers

In this guide, we explore both basic and advanced techniques to protect your Linux server from sophisticated DDoS attacks—ranging from small HTTP floods to large-scale volumetric assaults.

1. Web Application Firewall (WAF)

Install a WAF like ModSecurity for Apache/Nginx to filter malicious requests:

sudo apt install libapache2-mod-security2  # Apache
sudo apt install libnginx-mod-http-modsecurity  # Nginx

Enable OWASP Core Rule Set (CRS):

sudo ln -s /usr/share/modsecurity-crs/crs-setup.conf.example /etc/modsecurity/crs-setup.conf

Restart the webserver:

sudo systemctl restart apache2  # or nginx

2. Rate Limiting via Nginx or Apache

Nginx example (limit IP):

http {
    limit_req_zone $binary_remote_addr zone=allips:10m rate=5r/s;
    server {
        location / {
            limit_req zone=allips burst=10 nodelay;
            try_files $uri $uri/ =404;
        }
    }
}

Apache example using mod_ratelimit:

    SetOutputFilter RATE_LIMIT
    SetEnv rate-limit 400

3. SYN‑Flood Protection with sysctl & iptables

Adjust Linux kernel parameters:

sudo sysctl -w net.ipv4.tcp_syncookies=1
sudo sysctl -w net.ipv4.tcp_max_syn_backlog=2048
sudo sysctl -w net.ipv4.tcp_synack_retries=2

Drop excessive SYN packets:

sudo iptables -A INPUT -p tcp --syn -m limit --limit 10/s --limit-burst 20 -j ACCEPT
sudo iptables -A INPUT -p tcp --syn -j DROP

4. Leveraging TCP Intercept (if supported)

For very high-traffic environments, Linux supports TCP Intercept (requires kernel module). This acts as a proxy for SYN connections.

5. Integrate Fail2ban for HTTP Floods

Create a custom filter:

[http-flood]
enabled = true
port    = http,https
filter  = http-flood
logpath = /var/log/nginx/access.log
maxretry = 200
findtime = 60
bantime = 1800
action = iptables[name=HTTP-FLOOD, port="http,https", protocol=tcp]

Create the filter in /etc/fail2ban/filter.d/http-flood.conf:

[Definition]
failregex = ^ -.*"(GET|POST).*HTTP/.*"
ignoreregex =

Restart:

sudo systemctl restart fail2ban

6. Use a DDoS‑Mitigation Service

Activate a proxy/CDN like Cloudflare, AWS Shield, or Google Cloud Armor:

• Configure **"Under Attack"** mode, rate limiting, BOT management
• Allow only whitelisted IPs to reach your server

7. Network-Level Protection: ipset & FLOOD Action

Block repeated offenders:

sudo ipset create ddoslist hash:ip timeout 3600
sudo iptables -A INPUT -m set --match-set ddoslist src -j DROP
sudo iptables -A INPUT -p tcp --dport 80 -m recent --name ddos --rcheck --seconds 60 --hitcount 100 -j SET --add-set ddoslist src
sudo iptables -A INPUT -p tcp --dport 80 -m recent --name ddos --set

8. Monitoring and Alerting

Install packet and connection monitors:

sudo apt install iftop htop vnstat

watch -n1 'netstat -anp | grep :80 | wc -l'

Set up alerts via Prometheus + Alertmanager or tools like Uptime Kuma/Netdata.

9. Hardware and Upstream Filtering

• Use VPS offloading like load balancers or hardware firewalls
• Apply SYN cookie offload or TCP inspection at edge routers

Summary

Effective DDoS protection combines several layers:

• Application-layer filtering (WAF, rate-limit)
• Network-layer defense (iptables, sysctl, ipset)
• Third‑party services (CDN, upstream mitigation)
• Constant monitoring and real-time alerting

These strategies help defend against sophisticated attacks and keep your services online.