The Cyber-Survival Guide - by yours truly.

PS the below events are just an example and was not an event that took place but are actions you can take in the case of a DoS attack.

  1. Check for a high load.

This can be done by running the 'uptime' command it should look like this:

xxx load average: 15.08, 18.30, 20.63
  1. Check who is connected.

if you are not sure if it is a DOS attack, or just a single IP abusing the connection? Issue the following command to list all the IP addresses connected to your server

netstat -tn 2>/dev/null | grep :80 | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr | head

if you want to change the port to check where it says “grep :80” change the number to the desired port, the output should look like this:

215 122.163.226.243

189 114.198.236.100

156 120.63.179.245

 38 141.0.9.20
 37 49.248.0.2
 37 153.100.131.12
 31 223.62.169.73
 30 65.248.100.253
 29 203.112.82.128
 29 182.19.66.187

here are the connected IPs and as you can see the top three which I have labeled are taking 150+ connections which should not be the case, what are they trying to do? lets take a look

  1. null route
215 122.163.226.243
189 114.198.236.100
156 120.63.179.245

I believe the above IPs are the cause of the high load issue, let's null route these IPs so that all the incoming connections from those 3 IPs will be dropped or ignored and see if the problem is solved.

there are 2 commands you can use one is an alternative

Null route command:

route add 122.163.226.243 gw 127.0.0.1 lo
route add 114.198.236.100 gw 127.0.0.1 lo
route add 120.63.179.245 gw 127.0.0.1 lo

Alternative command:

route add -host 122.163.226.243 reject
route add -host 114.198.236.100 reject
route add -host 120.63.179.245 reject

Do not use the IPs entered in the first section as they are just an example change them to the IP/s that have a high load

Then Uses 'netstat -nr' to display all the routes, to make sure they are added to the route table, the output should look like this:

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
114.198.236.100 127.0.0.1       255.255.255.255 UGH       0 0          0 lo
120.63.179.245  127.0.0.1       255.255.255.255 UGH       0 0          0 lo
122.163.226.243 127.0.0.1       255.255.255.255 UGH       0 0          0 lo

Now check the load average to see if the problem has solved, the output should look like this (not exactly):

load average: 1.08, 5.30, 30.63 | as you can see the numbers are much lower than beforehand

For our final step check all the connected IPs again, to see if the attacker’s IPs are gone:

 40 141.0.9.20
 37 49.248.0.2
 36 153.100.131.12
 31 223.62.169.73
 25 65.248.100.253
 29 203.112.82.128
 29 182.19.66.187
 38 142.0.9.20
 28 141.121.9.20
 38 141.0.9.201

As you can see they are gone which means this was a success, now this is not a fix that will always work as the route of the problem, if it is just a 'DoS attack' the chances are it will be fixed though and your problem is now solved.

I hope this proved helpful and if you wish to get in contact or want more info/help you can do so at 'informationdot@protonmail.com'

Thank you for your time.

First and foremost, for those who are interested, I suggest checking out xbdm's blog (https://blog.xbdm.fun), which both influenced me to start a blog and provided me with an invite link, so a big thanks to them. They have lots of interesting and detailed posts regarding securing your data and privacy, among some other topics. I recommend that you look him up if you value your privacy, want to learn something new, or both.

So, first and foremost, who am I? I'm a cyber-security and privacy enthusiast these days, and I also do some programming in my spare time. I'd like to share with you how you can stay anonymous online and prevent others from breaching your privacy for any longer than they already have, as well as other topics. In the meantime, until I decide whether or not I want my blogs to be categorized, my content will be varied.

In further depth, my postings will be centered on privacy, programming, and some cyber-security, as well as potentially some news on these topics. On top of that, I will be sharing other things that I think are interesting enough to put on here. There aren't a lot of ways to contact me right now, but don't worry! I'll either write a quick blog on how to accomplish it or provide instructions in my next blog.

Thank you for your time.