🛡️ Implementing DDoS Protection in Alpine Linux
Protect your Alpine Linux server from DDoS attacks! This comprehensive guide will help you implement multiple layers of DDoS protection including rate limiting, traffic filtering, and automated response systems. Let’s make your server resilient against attacks! 🚀
📋 Prerequisites
Before we start, make sure you have:
- Alpine Linux system with root access
- Basic networking knowledge
- Firewall configuration experience
- Understanding of iptables
🎯 DDoS Protection Overview
DDoS protection involves multiple defense layers working together to detect and mitigate attacks while maintaining legitimate traffic flow.
📦 Installing Protection Tools
Let’s install essential DDoS protection tools:
# Update package repository
apk update
# Install iptables and extensions
apk add iptables iptables-legacy ip6tables
# Install network monitoring tools
apk add netstat-nat tcpdump nmap
# Install fail2ban for automated blocking
apk add fail2ban
# Install nginx for reverse proxy protection
apk add nginx
# Install system monitoring tools
apk add htop iotop sysstat
# Start required services
rc-service iptables start
rc-update add iptables default🔧 Basic Firewall Configuration
Step 1: Configure iptables Rules
Set up basic protection rules:
# Clear existing rules
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
# Set default policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# Allow loopback traffic
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow established connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow SSH (change port if needed)
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
# Save rules
iptables-save > /etc/iptables/rules-saveStep 2: Rate Limiting Rules
Implement connection rate limiting:
# Limit SSH connections per IP
iptables -A INPUT -p tcp --dport 22 -m recent --name SSH --set
iptables -A INPUT -p tcp --dport 22 -m recent --name SSH --update --seconds 60 --hitcount 4 -j DROP
# Limit HTTP connections per IP
iptables -A INPUT -p tcp --dport 80 -m recent --name HTTP --set
iptables -A INPUT -p tcp --dport 80 -m recent --name HTTP --update --seconds 1 --hitcount 25 -j DROP
# Limit HTTPS connections per IP
iptables -A INPUT -p tcp --dport 443 -m recent --name HTTPS --set
iptables -A INPUT -p tcp --dport 443 -m recent --name HTTPS --update --seconds 1 --hitcount 25 -j DROP
# Allow legitimate connections
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPTStep 3: SYN Flood Protection
Protect against SYN flood attacks:
# Enable SYN cookies
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# Make permanent
echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.conf
# Limit SYN rate
iptables -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 3 -j ACCEPT
iptables -A INPUT -p tcp --syn -j DROP
# Configure SYN backlog
echo "net.ipv4.tcp_max_syn_backlog = 1024" >> /etc/sysctl.conf
echo "net.ipv4.tcp_synack_retries = 2" >> /etc/sysctl.conf
# Apply sysctl changes
sysctl -p🚫 Advanced Traffic Filtering
Step 1: Geographic Blocking
Block traffic from specific countries:
# Install ipset for efficient IP blocking
apk add ipset
# Create ipset for blocked countries
ipset create blocked_countries hash:net
# Download country IP ranges (example for China)
wget -O - https://www.ipdeny.com/ipblocks/data/countries/cn.zone | while read line; do
ipset add blocked_countries $line
done
# Block traffic from blacklisted countries
iptables -A INPUT -m set --match-set blocked_countries src -j DROP
# Save ipset rules
ipset save > /etc/ipset.confStep 2: Protocol-based Filtering
Filter suspicious protocol usage:
# Block ping floods
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s --limit-burst 2 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
# Block UDP floods
iptables -A INPUT -p udp -m limit --limit 5/s --limit-burst 10 -j ACCEPT
iptables -A INPUT -p udp -j DROP
# Block fragmented packets
iptables -A INPUT -f -j DROP
# Block invalid packets
iptables -A INPUT -m state --state INVALID -j DROP
# Block NULL packets
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
# Block XMAS packets
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROPStep 3: Port Scanning Protection
Detect and block port scans:
# Detect port scanning
iptables -A INPUT -m recent --name portscan --rcheck --seconds 86400 -j DROP
iptables -A FORWARD -m recent --name portscan --rcheck --seconds 86400 -j DROP
# Detect SYN scans
iptables -A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "portscan:"
iptables -A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP
# Log and drop stealth scans
iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j DROP🤖 Fail2ban Configuration
Step 1: Configure Fail2ban
Set up automated IP blocking:
# Create fail2ban configuration
cat > /etc/fail2ban/jail.local << 'EOF'
[DEFAULT]
bantime = 3600
findtime = 600
maxretry = 3
backend = auto
usedns = warn
logencoding = auto
enabled = false
mode = normal
filter = %(__name__)s[mode=%(mode)s]
[sshd]
enabled = true
port = ssh
logpath = /var/log/auth.log
maxretry = 3
bantime = 1800
[nginx-http-auth]
enabled = true
filter = nginx-http-auth
logpath = /var/log/nginx/error.log
maxretry = 3
bantime = 3600
[nginx-limit-req]
enabled = true
filter = nginx-limit-req
logpath = /var/log/nginx/error.log
maxretry = 3
bantime = 3600
[ddos]
enabled = true
filter = ddos
logpath = /var/log/messages
maxretry = 50
findtime = 60
bantime = 86400
action = iptables[name=ddos, port=http, protocol=tcp]
EOF
# Create DDoS filter
cat > /etc/fail2ban/filter.d/ddos.conf << 'EOF'
[Definition]
failregex = <HOST> -.*"(GET|POST).*HTTP.*" 200
ignoreregex =
EOF
# Start fail2ban
rc-service fail2ban start
rc-update add fail2ban defaultStep 2: Custom Attack Detection
Create custom filters for specific attacks:
# HTTP flood filter
cat > /etc/fail2ban/filter.d/http-flood.conf << 'EOF'
[Definition]
failregex = <HOST> -.*"(GET|POST).*HTTP.*" (200|404|403|503)
ignoreregex =
EOF
# Add HTTP flood jail
cat >> /etc/fail2ban/jail.local << 'EOF'
[http-flood]
enabled = true
filter = http-flood
logpath = /var/log/nginx/access.log
maxretry = 100
findtime = 60
bantime = 3600
action = iptables[name=http-flood, port=http, protocol=tcp]
EOF
# Restart fail2ban
rc-service fail2ban restart🌐 Nginx DDoS Protection
Step 1: Rate Limiting Configuration
Configure Nginx rate limiting:
# Create Nginx DDoS configuration
cat > /etc/nginx/conf.d/ddos-protection.conf << 'EOF'
# Rate limiting zones
limit_req_zone $binary_remote_addr zone=general:10m rate=10r/s;
limit_req_zone $binary_remote_addr zone=login:10m rate=1r/s;
limit_req_zone $binary_remote_addr zone=api:10m rate=5r/s;
# Connection limiting
limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m;
# Request size limiting
client_max_body_size 10M;
# Timeout settings
client_body_timeout 12;
client_header_timeout 12;
keepalive_timeout 15;
send_timeout 10;
# Buffer sizes
client_body_buffer_size 1K;
client_header_buffer_size 1k;
large_client_header_buffers 2 1k;
EOF
# Update main Nginx configuration
cat > /etc/nginx/sites-available/default << 'EOF'
server {
listen 80;
server_name _;
# Apply rate limiting
limit_req zone=general burst=20 nodelay;
limit_conn conn_limit_per_ip 10;
# Block common attack patterns
location ~ \.(asp|aspx|jsp|cgi)$ {
return 444;
}
# Block suspicious requests
if ($request_method !~ ^(GET|HEAD|POST)$ ) {
return 444;
}
# Block requests with no user agent
if ($http_user_agent = "") {
return 444;
}
# Log suspicious activities
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
location / {
try_files $uri $uri/ =404;
}
# Special rate limiting for login pages
location /login {
limit_req zone=login burst=5 nodelay;
# Your login page configuration
}
# API rate limiting
location /api/ {
limit_req zone=api burst=10 nodelay;
# Your API configuration
}
}
EOF
# Test and reload Nginx
nginx -t && rc-service nginx reloadStep 2: GeoIP Blocking
Implement geographic blocking in Nginx:
# Install GeoIP module
apk add nginx-mod-http-geoip geoip geoip-dev
# Download GeoIP database
wget -O /tmp/GeoIP.dat.gz http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz
gunzip /tmp/GeoIP.dat.gz
mv /tmp/GeoIP.dat /usr/share/GeoIP/
# Configure GeoIP blocking
cat > /etc/nginx/conf.d/geoip.conf << 'EOF'
geoip_country /usr/share/GeoIP/GeoIP.dat;
map $geoip_country_code $allowed_country {
default yes;
CN no;
RU no;
# Add other countries to block
}
EOF
# Add to server block
sed -i '/server_name _;/a\ if ($allowed_country = no) {\n return 444;\n }' /etc/nginx/sites-available/default
nginx -t && rc-service nginx reload📊 Monitoring and Alerting
Step 1: Real-time Monitoring
Monitor DDoS attacks in real-time:
# Create monitoring script
cat > /usr/local/bin/ddos-monitor.sh << 'EOF'
#!/bin/bash
LOG_FILE="/var/log/ddos-monitor.log"
ALERT_THRESHOLD=100
while true; do
TIMESTAMP=$(date '+%Y-%m-%d %H:%M:%S')
# Count current connections
CONN_COUNT=$(netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr | head -1 | awk '{print $1}')
# Check for high connection count
if [ "$CONN_COUNT" -gt "$ALERT_THRESHOLD" ]; then
echo "$TIMESTAMP - HIGH CONNECTION COUNT: $CONN_COUNT" >> $LOG_FILE
# Get top IPs
TOP_IPS=$(netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr | head -10)
echo "$TIMESTAMP - Top IPs: $TOP_IPS" >> $LOG_FILE
# Send alert (configure your alerting method)
# mail -s "DDoS Alert" [email protected] < $LOG_FILE
fi
# Log current status
echo "$TIMESTAMP - Connections: $CONN_COUNT" >> $LOG_FILE
sleep 30
done
EOF
chmod +x /usr/local/bin/ddos-monitor.sh
# Create service for monitoring
cat > /etc/init.d/ddos-monitor << 'EOF'
#!/sbin/openrc-run
command="/usr/local/bin/ddos-monitor.sh"
command_background=true
pidfile="/var/run/ddos-monitor.pid"
depend() {
need net
}
EOF
chmod +x /etc/init.d/ddos-monitor
rc-service ddos-monitor start
rc-update add ddos-monitor defaultStep 2: Log Analysis
Set up comprehensive log analysis:
# Create log analysis script
cat > /usr/local/bin/analyze-attacks.sh << 'EOF'
#!/bin/bash
LOG_DIR="/var/log"
REPORT_FILE="/var/log/attack-report.txt"
echo "DDoS Attack Analysis Report - $(date)" > $REPORT_FILE
echo "=============================================" >> $REPORT_FILE
# Analyze Nginx logs
echo -e "\nTop attacking IPs from Nginx logs:" >> $REPORT_FILE
awk '{print $1}' /var/log/nginx/access.log | sort | uniq -c | sort -nr | head -20 >> $REPORT_FILE
# Analyze iptables logs
echo -e "\nRecent iptables drops:" >> $REPORT_FILE
grep "DPT=" /var/log/messages | tail -20 >> $REPORT_FILE
# Check fail2ban status
echo -e "\nFail2ban banned IPs:" >> $REPORT_FILE
fail2ban-client status | grep "Jail list:" >> $REPORT_FILE
# System load during attacks
echo -e "\nSystem load:" >> $REPORT_FILE
uptime >> $REPORT_FILE
# Memory usage
echo -e "\nMemory usage:" >> $REPORT_FILE
free -h >> $REPORT_FILE
echo -e "\nReport generated at: $(date)" >> $REPORT_FILE
EOF
chmod +x /usr/local/bin/analyze-attacks.sh
# Schedule regular analysis
echo "*/15 * * * * /usr/local/bin/analyze-attacks.sh" | crontab -Step 3: Performance Monitoring
Monitor system performance during attacks:
# Install additional monitoring tools
apk add vnstat bandwidthd
# Configure network monitoring
vnstat -u -i eth0
rc-service vnstat start
rc-update add vnstat default
# Create performance monitoring script
cat > /usr/local/bin/perf-monitor.sh << 'EOF'
#!/bin/bash
PERF_LOG="/var/log/performance.log"
# Log system metrics
echo "$(date) - Performance Metrics:" >> $PERF_LOG
echo "CPU: $(cat /proc/loadavg)" >> $PERF_LOG
echo "Memory: $(free | grep Mem | awk '{printf "%.2f%%", $3/$2 * 100.0}')" >> $PERF_LOG
echo "Network: $(vnstat -i eth0 | grep today)" >> $PERF_LOG
echo "Active connections: $(netstat -an | grep ESTABLISHED | wc -l)" >> $PERF_LOG
echo "---" >> $PERF_LOG
EOF
chmod +x /usr/local/bin/perf-monitor.sh
# Run every 5 minutes
echo "*/5 * * * * /usr/local/bin/perf-monitor.sh" | crontab -🚨 Emergency Response
Step 1: Automated Mitigation
Set up automated attack response:
# Create emergency response script
cat > /usr/local/bin/emergency-ddos.sh << 'EOF'
#!/bin/bash
THRESHOLD=1000
CURRENT_CONN=$(netstat -ntu | wc -l)
if [ "$CURRENT_CONN" -gt "$THRESHOLD" ]; then
echo "EMERGENCY: DDoS attack detected - $CURRENT_CONN connections"
# Block all new connections temporarily
iptables -I INPUT -m state --state NEW -j DROP
# Clear existing connections
echo 1 > /proc/sys/net/ipv4/tcp_abort_on_overflow
# Reduce timeout values
echo 30 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 3 > /proc/sys/net/ipv4/tcp_keepalive_probes
echo 5 > /proc/sys/net/ipv4/tcp_keepalive_intvl
# Wait and restore normal rules
sleep 300
iptables -D INPUT -m state --state NEW -j DROP
echo "Emergency measures lifted"
fi
EOF
chmod +x /usr/local/bin/emergency-ddos.shStep 2: Traffic Shaping
Implement traffic shaping during attacks:
# Install traffic control tools
apk add iproute2
# Create traffic shaping script
cat > /usr/local/bin/traffic-shape.sh << 'EOF'
#!/bin/bash
INTERFACE="eth0"
BANDWIDTH="100mbit"
# Clear existing rules
tc qdisc del dev $INTERFACE root 2>/dev/null
# Create root qdisc
tc qdisc add dev $INTERFACE root handle 1: htb default 30
# Create classes
tc class add dev $INTERFACE parent 1: classid 1:1 htb rate $BANDWIDTH
tc class add dev $INTERFACE parent 1:1 classid 1:10 htb rate 80mbit ceil $BANDWIDTH prio 1
tc class add dev $INTERFACE parent 1:1 classid 1:20 htb rate 15mbit ceil 20mbit prio 2
tc class add dev $INTERFACE parent 1:1 classid 1:30 htb rate 5mbit ceil 10mbit prio 3
# Add filters for prioritization
tc filter add dev $INTERFACE protocol ip parent 1:0 prio 1 u32 match ip dport 22 0xffff flowid 1:10
tc filter add dev $INTERFACE protocol ip parent 1:0 prio 2 u32 match ip dport 80 0xffff flowid 1:20
tc filter add dev $INTERFACE protocol ip parent 1:0 prio 3 u32 match ip dport 443 0xffff flowid 1:20
echo "Traffic shaping activated"
EOF
chmod +x /usr/local/bin/traffic-shape.sh📈 Testing Protection
Step 1: Load Testing
Test your DDoS protection:
# Install testing tools
apk add apache2-utils
# Test rate limiting
ab -n 1000 -c 50 http://your-server/
# Test concurrent connections
for i in {1..100}; do
curl -s http://your-server/ &
done
wait
# Monitor protection effectiveness
tail -f /var/log/nginx/error.log
tail -f /var/log/fail2ban.logStep 2: Validation Script
Create protection validation:
cat > /usr/local/bin/validate-protection.sh << 'EOF'
#!/bin/bash
echo "🛡️ DDoS Protection Validation"
echo "============================="
# Check iptables rules
echo "1. Checking iptables rules..."
if iptables -L | grep -q "limit:"; then
echo "✅ Rate limiting rules active"
else
echo "❌ No rate limiting rules found"
fi
# Check fail2ban status
echo "2. Checking fail2ban..."
if rc-service fail2ban status | grep -q "started"; then
echo "✅ Fail2ban is running"
else
echo "❌ Fail2ban not running"
fi
# Check Nginx configuration
echo "3. Checking Nginx protection..."
if nginx -t 2>/dev/null; then
echo "✅ Nginx configuration valid"
else
echo "❌ Nginx configuration error"
fi
# Check monitoring services
echo "4. Checking monitoring..."
if pgrep -f ddos-monitor >/dev/null; then
echo "✅ DDoS monitoring active"
else
echo "❌ DDoS monitoring not running"
fi
echo "============================="
echo "Protection validation complete"
EOF
chmod +x /usr/local/bin/validate-protection.sh🔧 Troubleshooting
Issue 1: False Positives
# Whitelist legitimate IPs
iptables -I INPUT -s TRUSTED_IP -j ACCEPT
# Adjust fail2ban sensitivity
sed -i 's/maxretry = 3/maxretry = 5/' /etc/fail2ban/jail.local
rc-service fail2ban restartIssue 2: High Resource Usage
# Optimize iptables rules
iptables-optimizer
# Reduce logging verbosity
echo "net.netfilter.nf_log_all_netns = 0" >> /etc/sysctl.conf
sysctl -pIssue 3: Legitimate Traffic Blocked
# Check current bans
fail2ban-client status
fail2ban-client status sshd
# Unban IP if needed
fail2ban-client set sshd unbanip IP_ADDRESS
# View detailed logs
tail -f /var/log/fail2ban.log📝 Best Practices Summary
- 🔄 Layer Defense - Use multiple protection layers
- ⚡ Monitor Real-time - Implement continuous monitoring
- 📊 Analyze Logs - Regular log analysis and reporting
- 🎯 Tune Rules - Adjust thresholds based on traffic patterns
- 🚨 Emergency Plan - Have automated emergency responses
- ✅ Test Regularly - Validate protection effectiveness
- 📈 Scale Resources - Ensure adequate server resources
- 🔄 Update Rules - Keep protection rules current
🎉 Conclusion
You’ve successfully implemented comprehensive DDoS protection on your Alpine Linux server! Your system now has multiple layers of defense including rate limiting, traffic filtering, automated blocking, and real-time monitoring.
Remember to regularly monitor your protection systems, analyze attack patterns, and adjust your defenses accordingly. Stay vigilant and keep your protection measures updated! 🚀
For advanced scenarios, consider implementing cloud-based DDoS protection services, BGP-based mitigation, and distributed defense systems. Keep your server safe! 🛡️
