How to detect a DOS / DDOS Attack on your Linux Server?

[dfads params=’groups=-1′]

While researching through website traffic problems, the first thing that came in my mind is DoS / DDoS attacks. So, I started to study about it.

What is DoS / DDoS attack? 

(Wiki Answer) : In computing, a denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a machine or network resource unavailable to its intended users. Although the means to carry out, motives for, and targets of a DoS attack may vary, it generally consists of efforts to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet.

How to check if your Linux server is under DDOS Attack?

Login to your Linux Server and type the following command:

netstat -anp |grep ‘tcp\|udp’ | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort –n

This command will show you the list of IP’s which have logged in is maximum number of connections to your server. It becomes more complex if the attacker use fewer connections with more number of attacking IP’s.

[dfads params=’groups=-1′]

We can check active connections to the server using the following command:

netstat -n | grep :80 |wc –l

The above command will show the active connections that are open to your server. The result may vary but if it shows connections more than 500, then you will be definitely having problems.

netstat -n | grep :80 | grep SYN |wc –l

If the result of the above command is 100 or above then you are having problems with sync attack.

Once you get an idea of the ip attacking your server, you can easily block it. Fire the following command to block specific IP:

route add ipaddress reject

Fire the following command to check whether that IP is blocked or not:

route -n |grep IPaddress

You can also block a IP with iptables on the server by using the following command.


service iptables restart

service iptables save

After firing the above command, KILL all httpd connection and than restart httpd service by using  following command:

killall -KILL httpd/apache2

[dfads params=’groups=-1′]

[Updated 12-12-2013]

In order to delete the route entry, fire the following command.

ip route delete ipaddress

[Source :]

How to format pen drive in ubuntu

[dfads params=’groups=-1′]

Many times it happens that your pen drive or memory cards does not formatted from file manager so you have to format it from terminal. In this tutorial, it is shown that how to format pen drive
or any other hard-disk or memory card from terminal using commands in Ubuntu.
This video gives you a complete idea of how to format pen drive from terminal and which commands you have to type.
I also attached the screenshots of this commands from terminal window step by step.
[1]  First of all type the below command for know the name of your pen
       drive or memory card. [here | (pipe) operator is used which is given
       above your enter key in most of keyboards.]
       dmesg | tail


[2]  Then unmount your pen drive using the following command.
       sudo umount /dev/sdb1
And enter your password.
[3]  Then enter the following command to format your pen drive with
        FAT32 partition.
       sudo mkfs.vfat -n ‘Ubuntu’ -I /dev/sdb1
Your pen drive is now formatted and ready to use.

[dfads params=’groups=-1′]

Source []

How Telecom Operators cheat their customers?

[dfads params=’groups=-1′]

This is really worth reading. Please, Please, Please Follow & share this Information.

I am an Airtel User. I was charged 2Paise/Sec for no any Tarrif enabled. i.e. 1.2 Rupees for 60 Secs. This amount was quite expensive compared to charges of other Operators. So, one of my friend suggested me to do the following:

1. First, generate a UPC (Unique Porting Code). This can be done by sending an SMS to 1900.
The SMS should be in this format: PORT

This should be sent to 1900
Operator SMS charge will be applicable.

2. In reply, you will receive a UPC (Unique Porting Code) as SMS from 1901. The UPC will be an 8 digit alpha- numeric code. You will also receive the date till when the UPC will remain valid in the MM/DD/YYYY format.

3. Wait for the call back from the Customer Care.

Well, the process is changing the Number Portability from one Operator to another. Great, I thought of changing to MTNL.

[dfads params=’groups=-1′]

BUT Guess What Happens when the Customer Care Called…

She asks: What is the reason for changing the Operator?
I reply: Well, it is too expensive for me to use this Operator. Please shift me to MTNL

She explains: Sir, We have these plans (30Paise/Min for this tarrif, 40Paise/Min for another Tarrif) for you & are cheaper than ur current Call Rate.
I replied: Mam, Isn’t there any scheme that charge me on the basis of Per Second not Per minute.

She Explains: Well sir, there is a plan where you will be charged 1.2 Paise/2Secs. Can I activate this Plan?
I replied: Mam, the Line is getting disturbed, Can you repeat the plan once again? (Had to confirm the plan, LOL, and to think for a while for calculation.. heheheh, yeah.. means 36Paise/Minute, ummm gr8)

She Repeats: Sir, there is a plan where you will be charged 1.2 Paise/2Secs. Can I activate this Plan?
I reply: (Already had made my mind ). Definitely Mam, Thank You Very Much.

She says: Sir, your plan will be activated in 2.5Hrs. Thank You.
Guys this is how works happening in India. “Saala, Sidhi ungli se to Ghee nikalti hi nahi”. I was damn unaware about this. I’d have saved thousands of bugs if I’d ‘ve known this earlier. Friends, If you are an Airtel user & still a victim please Follow this post and let others also know about this information.

I wonder how people are cheated by all these bureaucrats.

Thanx for Reading

Via #MuzikalIndia

[dfads params=’groups=-1’]

The rise of bots, spammers, crack attacks and libwww-perl

[dfads params=’groups=-1′]

libwww-perl (LWP) is fine WWW client/server library for Perl. Unfortunately this library used by many script kiddy, crackers, and spam bots.

Verify bots…

Following is a typical example, you will find in your apache or lighttpd access.log log file:

$ grep ‘libwww-perl’ access.log


$ grep ‘libwww-perl’ /var/log/lighttpd/access.log

Output: - [23/Oct/2006:22:24:37 +0000] "GET /wamp_dir/setup/yesno.phtml?no_url= HTTP/1.1" 200 72672 "-" "libwww-perl/5.76"

So someone is trying to attack your host and exploit security by installing a backdoor. yesno.phtml is poorly written application and it can run or include php code (list.txt) from remote server. This code install perl based backdoor in /tmp or /dev/shm and send notification to IRC server or bot master i.e. server is ready for attack against other computer. This back door can flood or DDoS other victims server (it will also cost you tons of bandwidth). Usually attacker will hide himself behind zombie machines. Blocking by user agent can help and in some cases problem can be dropped all together.

You will also notice that libwww-perl/5.76 as browser name (read as useragent). To avoid such attack:
=> Block all libwww-perl useragent
=> Run web server in chrooted jail

How to block libwww-perl under Lighttpd web server?

Open lighttpd.conf file:
# vi /etc/lighttpd/lighttpd.conf
Append following line to main server or virtual hosting section:
$HTTP["useragent"] =~ "libwww-perl" {
url.access-deny = ( "" )

Save and close the file. Restart the lighttpd:
# /etc/init.d/lighttpd restart

How to block libwww-perl under Apache web server?

Use mod_rewrite and .htaccess file to block user agent libwww-perl. Open your .htaccess file and add rule as follows:
SetEnvIfNoCase User-Agent "^libwww-perl*" block_bad_bots
Deny from env=block_bad_bots

How do I verify that User-Agent libwww-perl is blocked?

Download this perl script on your own workstation. Replace with your site name:
$req = HTTP::Request->new(GET => '');
Save and execute perl script:
$ chmod +x
$ ./


Error: 403 Forbidden

You should see 403 Forbidden error as your user-agent is blocked by server configuration.

Please note that blocking by user agent can help, but spammers spoof user agents. My personal experience shows that blocking libwww-perl saves bandwidth and drops potential threats by 50-80%.

Another highly recommended solution is to run web server in chrooted jail. In chrooted jail attacker cannot install backdoor as shell and utilities such as wget not available to download the perl code. I also recommend blocking all outgoing http/ftp request from your webserver using iptables or use hardware based firewall such as Cisco ASA Firewalls.

Final extreme solution is to put entire root file system on read only media such as CDROM (or use live CD). No attacker can bring down your web server if it is serving pages from read only media (except DoS/DDoS attack).

What do you think? How do you block such attacks? Please share your nifty technique with us.


[source 1=”” language=”:”][/source]
[dfads params=’groups=-1′]