Previous Next
by danduran on Cybersecurity 3 min read, Comments: 0 (Add Your Comment!)

DDoS ICMP and HTTP Flood Attack Mitigation on Debian-Based Servers

Newsletter Signup
@tutorials

Hello Cyber Defenders!

This article provides step-by-step instructions on how to mitigate ICMP and HTTP flood attacks using iptables, sysctl, Fail2Ban, and other security measures on a Debian-based system. These steps help protect against ping and HTTP flood attacks with spoofed IP addresses.

1. Configuring iptables to Mitigate ICMP Flood Attacks

Rate Limiting ICMP Requests

sudo iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s --limit-burst 5 -j ACCEPT
sudo iptables -A INPUT -p icmp --icmp-type echo-request -j DROP

Dropping Invalid Packets

sudo iptables -A INPUT -m conntrack --ctstate INVALID -j DROP

Allowing Necessary ICMP Types and Dropping the Rest

sudo iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
sudo iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
sudo iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
sudo iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s --limit-burst 5 -j ACCEPT
sudo iptables -A INPUT -p icmp -j DROP

2. Enabling Reverse Path Filtering

Set sysctl Parameters

sudo sysctl -w net.ipv4.conf.all.rp_filter=1
sudo sysctl -w net.ipv4.conf.default.rp_filter=1

Make Parameters Permanent

Edit /etc/sysctl.conf:

sudo nano /etc/sysctl.conf

Add the following lines:

net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.default.rp_filter=1

Apply the changes:

sudo sysctl -p

3. Saving iptables Rules Across Reboots

Using iptables-persistent

sudo apt-get install iptables-persistent
sudo netfilter-persistent save

Manually Saving and Restoring Rules

sudo iptables-save > /etc/iptables/rules.v4
sudo ip6tables-save > /etc/iptables/rules.v6

4. Verify Configuration

Verify iptables Rules

sudo iptables -L -v -n

Verify sysctl Settings

sysctl net.ipv4.conf.all.rp_filter
sysctl net.ipv4.conf.default.rp_filter

Reboot and Verify

sudo reboot

After reboot, verify the settings again:

sudo iptables -L -v -n
sysctl net.ipv4.conf.all.rp_filter
sysctl net.ipv4.conf.default.rp_filter

5. Monitoring and Logging

Monitor System Logs

tail -f /var/log/syslog

Monitor iptables Logs

If logging is configured for iptables, monitor those logs.

Monitor ModSecurity Logs (if applicable)

tail -f /var/log/apache2/modsec_audit.log

Additional Security Measures

Install and Configure Fail2Ban

sudo apt-get install fail2ban

Create /etc/fail2ban/filter.d/icmp-flood.conf:

[Definition]
failregex = kernel: .*IN=.*OUT=.*MAC=.*SRC=<HOST> DST=.* LEN=.* TOS=.* PREC=.* TTL=.* ID=.* PROTO=ICMP
ignoreregex =

Configure Fail2Ban Jail:
Add the following to /etc/fail2ban/jail.local:

[icmp-flood]
enabled  = true
filter   = icmp-flood
action   = iptables[name=ICMP, port=any, protocol=icmp]
logpath  = /var/log/kern.log
maxretry = 5
bantime  = 3600

Create /etc/fail2ban/filter.d/http-flood.conf:

[Definition]
failregex = ^<HOST> -.*"(GET|POST).*
ignoreregex =

Configure Fail2Ban Jail:
Add the following to /etc/fail2ban/jail.local:

[http-flood]
enabled  = true
port     = http,https
filter   = http-flood
logpath  = /var/log/apache2/access.log
maxretry = 100
findtime = 60
bantime  = 600

Restart Fail2Ban:

sudo systemctl restart fail2ban

Regularly Update and Patch Your System

Ensure all software, including the operating system and applications, are up to date to protect against known vulnerabilities.

By following these steps and continually monitoring your system, you can effectively mitigate ICMP and HTTP flood attacks and improve the overall security of your Debian server.

Latest Comments
Sign in to add a comment

No comments yet. Be the first to comment!