Well today one of our client server had worst ddos attack against server main IP. While analyzing i found it is coming from amazon hacked servers. As amazon is offering free ec2 servers for 1 year so some of people don’t care about it after getting it as free. They do not use it and forget it after getting it. These servers are easy to get hacked and then can be used to attack other servers by hackers.
Here is the quick solution for linux centos 7 to deal with these attacks:
1. Access your server from ssh, you can use putty
2. Once you logged in with root access you have to install network monitoring tool, i found Trafshow tool very help full to see what IPs are attacking.
3. Install it with :
yum install trafshow -y
if you get nothing found error, just install epel-release repo by executing following command:
yum install epel-release -y
4. Once you install Trafshow, now you are ready to check incoming requests from IPs. Run following below command:
trafshow -i eth0 tcp
where eth0 is network card, you need to change it with your network interface. if you’re not sure about network interface, run following command:
ifconfig
It will return all the interfaces.
5. Once you run command trafshow -i eht0 tcp it will display all the connections with IPs. Here you can block them by various techniques. One is to add these IPs in config Server Firewall.
6. Here is the list of amazon IPs:
https://ip-ranges.amazonaws.com/ip-ranges.json
7. You can extract all IPs by creating script in any language, below is the code for PHP:
<? $json = file_get_contents("https://ip-ranges.amazonaws.com/ip-ranges.json"); $stuff = json_decode($json, true); $results = array(); foreach($stuff['prefixes'] as $chunk) { $ip_prefix = $chunk['ip_prefix']; echo $ip_prefix.' '; } ?>
8. Or here are ssh commands to extract and add IPs to csf.deny file.
cp -rp /etc/csf/csf.deny /etc/csf/csf.deny.backup wget https://ip-ranges.amazonaws.com/ip-ranges.json grep ip_prefix ip-ranges.json | awk '{print $2}' | sed s/\"//g | sed s/\,//g >> /etc/csf/csf.deny
9. Now add these IPs to firewall iptables or into .htaccess to block access.