Simulate and Mitigate DDoS Attacks on Linux with Docker and iptables
This tutorial walks through setting up a three‑host Linux environment, using Docker, sar, hping3, tcpdump and iptables to reproduce a SYN‑Flood DDoS attack, analyze its impact, and apply kernel and firewall tweaks to mitigate the attack.
What Is a DDoS?
DDoS (Distributed Denial of Service) expands the classic DoS attack by using many compromised hosts to flood a target, exhausting bandwidth, system resources, or application resources.
Case Preparation
Three Linux machines are required: an application server, an attacker, and a client. Install docker, sar, hping3, tcpdump and curl on each.
Application Server
Start a simple nginx container:
[root@app ~]# docker run -itd --name=nginx --network=host nginx
[container ID] ...
[root@app ~]# docker psClient
Verify the service with curl:
[root@client ~]# curl -s -w 'Http code: %{http_code}
Total time:%{time_total}s
' -o /dev/null http://172.31.88.139
Http code: 200
Total time:0.002437sAttacker
Generate a SYN‑Flood using hping3:
# hping3 -S -p 80 -i u10 --flood 192.168.0.30Mitigation Attempt
After the flood, the client request times out:
[root@client ~]# curl -s -w 'Http code: %{http_code}
Total time:%{time_total}s
' -o /dev/null http://172.31.88.139
Http code: 000
Total time:10.001s
curl: (28) Connection timed out after 10000 millisecondsInspect network stats with sar and capture packets with tcpdump to see thousands of SYN packets (≈54 B each), confirming a SYN‑Flood.
Use netstat to reveal many connections in SYN_RECV state, indicating half‑open connections filling the connection table. # netstat -n -p | grep SYN_REC Block the offending source IP with iptables:
# iptables -I INPUT -s 172.31.82.28 -p tcp -j REJECTFor dynamic sources, limit SYN packets instead:
# iptables -A INPUT -p tcp --syn -m limit --limit 1/s -j ACCEPT
# iptables -I INPUT -p tcp --dport 80 --syn -m recent --name SYN_FLOOD --update --seconds 60 --hitcount 10 -j REJECTTCP Optimizations
Increase the half‑open queue and reduce retries:
# sysctl -w net.ipv4.tcp_max_syn_backlog=1024
# sysctl -w net.ipv4.tcp_synack_retries=1Enable SYN cookies to avoid keeping half‑open state: # sysctl -w net.ipv4.tcp_syncookies=1 Persist these settings in /etc/sysctl.conf and reload with sysctl -p.
Conclusion
DDoS attacks overwhelm services with massive bogus traffic, making complete prevention impossible; however, by monitoring traffic, filtering malicious packets, limiting SYN rates, and tuning kernel TCP parameters, their impact can be significantly reduced.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
MaGe Linux Operations
Founded in 2009, MaGe Education is a top Chinese high‑end IT training brand. Its graduates earn 12K+ RMB salaries, and the school has trained tens of thousands of students. It offers high‑pay courses in Linux cloud operations, Python full‑stack, automation, data analysis, AI, and Go high‑concurrency architecture. Thanks to quality courses and a solid reputation, it has talent partnerships with numerous internet firms.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.