Types of DDoS Attacks
| Type | Layer | Examples |
|---|---|---|
| Volumetric | Network (L3/L4) | UDP flood, ICMP flood, DNS amplification |
| Protocol | Transport (L4) | SYN flood, Ping of Death |
| Application | Application (L7) | HTTP flood, Slowloris, GET/POST flood |
Basic Protection with iptables
# Limit new connections per IP
iptables -A INPUT -p tcp --dport 80 -m connlimit --connlimit-above 50 -j DROP
# Rate limit new TCP connections
iptables -A INPUT -p tcp --syn -m limit --limit 50/s --limit-burst 100 -j ACCEPT
iptables -A INPUT -p tcp --syn -j DROP
# Drop invalid packets
iptables -A INPUT -m state --state INVALID -j DROPNginx Rate Limiting
limit_req_zone $binary_remote_addr zone=req_limit:10m rate=10r/s;
limit_conn_zone $binary_remote_addr zone=conn_limit:10m;
server {
limit_req zone=req_limit burst=20 nodelay;
limit_conn conn_limit 50;
}Application-Level Protection
- Implement CAPTCHA on forms and login pages
- Add rate limiting to API endpoints
- Use CDN/proxy services (Cloudflare, AWS Shield)
- Block known bad user agents
Using Cloudflare (Recommended)
Cloudflare's free plan includes basic DDoS protection. The proxy absorbs volumetric attacks before they reach your server. Enable "Under Attack Mode" during active attacks for additional JavaScript challenges.
Monitoring for Attacks
# Watch connection count per IP
ss -tn | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -rn | head -20
# Watch request rate in real-time
tail -f /var/log/nginx/access.log | awk '{print $1}' | uniq -cResponse Plan
- Identify the attack type and source IPs
- Enable rate limiting and IP blocking
- Enable Cloudflare Under Attack Mode
- Contact your hosting provider if the attack exceeds your server capacity