My server has been timing out and crashing lately.
I ran this command:
netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
Check the picture for result. Does the two IPs in the end ddos me?
And how do I block them with IPtables?
Thanks.
Given the astoundingly large number of connections, it's possible that the host 75.67.41.234 and maybe 71.232.145.129 may be DoSing you with a SYN flood (or they may just be scraping your website with an extremely ineffective bot or something). A sample of the traffic could confirm this.
To protect against this type of DDoS (and not against a flood, which you cannot protect against with local rules and need your ISP's help to deal with), you can set up firewall rules with iptables to limit the number of connections a single host can open to you at once. This is an example of such a rule:
iptables -t filter -A INPUT -i $WAN_IF -p tcp -syn -m connlimit --connlimit-above 10 -j DROP
You can use a different target (-j REJECT for instance) to perform different actions, and you can set a different connection limit than 10.
