DDoS Attacks: The Definitive Guide (Spoofing, IPTables, and Professional Defense)

In the tech world, few things are scarier than seeing your website, API, or entire server go down while you can do nothing. Suddenly, traffic spikes, CPU hits 100%, and 'Error 503' becomes king. This is the cruelest face of a DDoS attack.

Understanding this deeply is not just a technical skill, it's an art. In this guide, we'll tear apart every aspect of these attacks: from attack tools like hping3 to the deepest defenses using iptables, cloud providers, and configurations to protect even your Docker containers.

1. The Inverted Funnel: What Exactly is a DDoS Attack?

Imagine a trendy restaurant. You only have 50 tables. One day, 10,000 people arrive at once, not to eat, but just to stand in the doorway and stop anyone else from entering. That is a Distributed Denial of Service (DDoS) attack.

• Denial of Service (DoS): It's a single person (or computer) blocking the door. It is easier to stop.
• Distributed Denial of Service (DDoS): Thousands of people (a botnet or 'zombie' computer army) blocking the door. It is a war.

The goal is simple: saturate your server's resources (bandwidth, RAM, CPU) so legitimate users cannot access it.

2. The Heart of Deception: Spoofing and Amplification

Here is a key concept few explain well: spoofing. It is the art of digital deception. Basically, the attacker fakes their identity so they aren't caught or to make the attack more destructive.

• IP Spoofing: The attacker sends a data packet but puts a fake source address. It's like sending a letter with your worst enemy's name and address as the sender. When the server replies, it replies to them, not you.
• Amplification: This is the attackers' favorite dirty trick. They use spoofing to ask a legitimate server (like a DNS server) for a ton of information, claiming you requested it. The obedient server dumps all that data onto your IP. Small request, huge disaster.

3. The ABCs of Attacks: Types You Must Know

DDoS attacks are classified by the OSI model layer they target. Simply put, imagine your service is a building: Layer 3 and 4 (Network and Transport) attack the foundation. Layer 7 (Application) attacks the penthouse with an endless party.

3.1. Volumetric Attacks (Clogging the pipe)

• DNS Amplification: The attacker lies (spoofing) and asks hundreds of DNS servers for heavy data using your IP. Boom, data rains down on you.
• Smurf Attack: Uses ICMP (ping). The attacker pings the broadcast address of a large network pretending to be you. Every device replies to you at once.
• UDP Flood: They send an avalanche of UDP packets to random ports. Your machine goes crazy checking if anyone is waiting for those packets and collapses.

3.2. Protocol Attacks (Hanging the line)

SYN Flood: TCP connections require a three-way handshake (SYN, SYN-ACK, ACK). The attacker sends thousands of initial greetings (SYN) with fake addresses. The server waits for the final reply that never comes, leaving the connection 'half-open'. Filling its memory with 'unanswered greetings', the server can no longer serve anyone.

3.3. Layer 7 Attacks (The most cunning)

• HTTP Flood: Like 10,000 people pressing 'F5' on your website simultaneously. Mass requests. To an untrained eye, it looks like 'normal' traffic.
• Slowloris: The attacker opens connections and sends data very, very slowly. The server keeps the connection open waiting for the rest, eventually maxing out open connections.
• API Attacks: Targeting specific endpoints that require heavy processing (like a heavy database query). A few well-crafted requests can take down the back-end.

4. The Hacker's Arsenal: Tools like hping3

hping3 is a Swiss army knife for packet crafting. There are also frameworks like LOIC or HOIC that are easier to use, and a 10,000-PC botnet running LOIC can be devastating.

# SYN Flood Attack (The classic)
hping3 -S --flood -p 80 <YOUR_SERVER_IP>

# UDP Flood Attack
hping3 -2 --flood -p 53 <YOUR_SERVER_IP>

# ICMP Attack (Ping of Death)
hping3 -1 --flood <YOUR_SERVER_IP>

# Spoofed Attack (Forging the source)
hping3 -S -a <IP_TO_SPOOF> --flood -p 80 <YOUR_SERVER_IP>

5. The Fortress: How to Protect Yourself

Defense isn't one thing, it's layered. Best practices include increasing bandwidth (a buffer, not a solution), load balancers to distribute traffic, and redundancy across data centers.

5.2. Linux's King of Defense: IPTables in Depth

iptables is the Linux kernel firewall. It isn't 'a firewall', it is THE firewall. Tables are where rules live (filter, nat, mangle) and chains (INPUT, OUTPUT, FORWARD) are the checkpoints.

# 1. Limit SSH to 3 per minute per IP (anti-bruteforce)
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 --name SSH -j DROP

# Limit HTTP requests to 50/sec with a burst of 100
iptables -A INPUT -p tcp --dport 80 -m limit --limit 50/second --limit-burst 100 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP

# 2. GeoIP Blocking (Requires xt_geoip module)
iptables -A INPUT -m geoip --src-cc RU,CN,KP -j DROP

# 3. Port Scan Prevention (XMAS Scan)
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 5/m -j LOG --log-level 7 --log-prefix "XMAS Scan:"
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP

# 4. connlimit module (prevent >20 connections to port 80)
iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 20 --connlimit-mask 32 -j REJECT

# 5. hashlimit module (10 HTTPS connections per second)
iptables -A INPUT -p tcp --dport 443 -m hashlimit --hashlimit-name https --hashlimit 10/sec --hashlimit-burst 20 --hashlimit-mode srcip -j ACCEPT

5.3. Web Application Firewalls (WAF) & Monitoring

iptables looks at the network, but a WAF looks at web content. ModSecurity is the standard with rules to block SQL injections and web DDoS. ModEvasive acts as a 'neurotic bouncer', blocking IPs requesting the same page too fast.

<IfModule mod_evasive24.c>
    DOSHashTableSize 3097
    DOSPageCount 2  # Max 2 requests to same page per interval
    DOSSiteCount 50 # Max 50 total site requests per interval
    DOSPageInterval 1
    DOSSiteInterval 1
    DOSBlockingPeriod 10 # Block seconds
</IfModule>

For monitoring: nload/iftop (real-time bandwidth), netstat or ss -tan (established connections), tcpdump (packet sniffer), and vnstat (historical stats). Snort/Suricata act as IDS/IPS looking for malicious patterns.

6. Providers: When to Stop Fighting Alone

Eventually, your server can't handle it. Services like Cloudflare, AWS Shield, or Google Cloud Armor absorb the hit. Pro tip: configure iptables to ACCEPT web traffic only from Cloudflare IP ranges and DENY the rest.

# Example: Accept web traffic ONLY from Cloudflare
iptables -A INPUT -p tcp --dport 80 -s 173.245.48.0/20 -j ACCEPT # Cloudflare Range
iptables -A INPUT -p tcp --dport 80 -j DROP

7. Defending Modernity: Docker and Containers

Containers add complexity. Never run a container without limits. Docker modifies iptables rules for you to publish ports. If you have custom rules, put them in the DOCKER-USER chain so they process first.

# Limit Resources in Docker
docker run -d --name my_app --cpus="0.5" --memory="512m" --restart always my_image

# Block all incoming traffic to containers from a specific IP
iptables -I DOCKER-USER -i eth0 -s 192.168.1.100 -j DROP

8. Conclusion and Survival Checklist

DDoS attacks are not a myth, they are a daily reality. This journey proves security is a process, not a product.

• Know your traffic: Use netstat and iftop regularly.
• Tune the Kernel: Adjust network parameters (e.g., net.ipv4.tcp_syncookies = 1).
• IPTables is your friend: Implement rate limiting and IP blocks.
• Layer 7: You need ModSecurity or a WAF.
• Accept help: For large attacks, a provider (Cloudflare, AWS) is the only way out.
• Protect containers: Always with CPU and RAM limits.

“There are only two types of companies: those that have been hacked, and those that don't know it yet.”