How to check and stop if DDoS attack is going on.

Distributed denial-of-service attacks
In a distributed attack, the attacking computers are often personal computers
with broadband connections to the Internet that have been compromised by viruses
or Trojan horse programs. These allow the perpetrator to remotely control machines
to direct the attack, and such an array of computers is called a botnet. With
enough such slave or zombie hosts, the services of even the largest and most well-connected
websites can be disrupted.


Denial-of-service attack

A denial-of-service attack (also, DoS attack) is an attack on a computer system
or network that causes a loss of service to users, typically the loss of network
connectivity and services by consuming the bandwidth of the victim network or
overloading the computational resources of the victim system.
Attacks can be directed at any network device, including routers and Web, electronic
mail, and Domain Name System servers.

A DoS attack can be perpetrated in a number of ways. There are four basic types
of attack:

1) consumption or overload of system or network resources, such as bandwidth,
disk space, or CPU time
2) disruption of configuration information, such as routing information
3) disruption of physical network components
4) disruption of normal operating-system functionality by exploiting a software
vulnerability.

Attempts to “flood” a network with bogus packets, thereby preventing
legitimate network traffic, are the most common form of attack, often conducted
by disrupting network connectivity with the use of multiple hosts in a distributed
denial-of-service attack or DDoS. Such attacks can consume the resources of
intervening systems and networks over which the attack is transmitted. Other
than incorrectly formed packets or random traffic, two specific sophisticated
means of attack include:

1) a smurf attack, in which ICMP requests are sent to the broadcast address
of misconfigured networks, with a faked, or spoofed, source IP Address set to
the one of the target
2) a SYN flood, in which bogus SYN requests to a service (often HTTP) cause
a server to be overloaded by spawning half-open connections
You can check the current http usage by firing the shell command

top -d2

If you are getting lots of httpd processes, then you have to check if it is
a DoS attack and the server is flooded with SYN packets. You can check this
by the following command.

netstat -nap | grep SYN | wc -l

If you are getting abnormal numbers then your server is under attack.
You can check from which IPs the SYN packets are coming. Give the following
command

netstat -nap | less

You will get all the details of kernel routing table also the IPs from where
the packets are coming. If it is coming from any particular IP then you can
simply block that IP on the server. Or if its from one network then you will
have to block the range of IPs.
If there are multiple IPs which are attacking then you will have to find which
site is under attack.
To check this go to /usr/local/apache/domlogs/
Check how stat’s date is defined. Then run the command “date“.
Check the current time of the server. Then you have to check which site was
under attack before few mins ago. Suppose current time is Sep 15 02:03:38 then
run the command

grep “15/Sep/2005:02:01” *

It will show you the list of sites accessed at that time. If you see any particular
site is being accessed multiple times, then the site is under attack. You can
chnage the time to check if different sites are under attack. You can suspend
that site to prevent the server from overloading.

Many times the attack hits a particular IP and all the sites having that IP
get attacked. All you have to do is change the IP of those sites and then null-route
that IP.

These are the simple steps you have to follow when attack is going on. Obviously
you have to use your presence of mind while working on it. You will find many
ways to solve this issue.