DOS Detection

You are here:
Estimated reading time: 1 min
In this article

DoS vs DDoS
The server’s load is high due to (Distributed) Denial of Service attacks ((D)DoS).In the case of DoS attacks, there are multiple connections established from an IP, and BitNinja will block the IP address if the number of connections reaches our threshold.

In the case of DDoS, the attack comes from multiple IP addresses at the same time. None of the IP addresses establish enough connections at the time to identify the requests as DoS attacks but their combined number of connections still causes issues.

BitNinja offers indirect protection against DDoS

No software-based solution offers direct protection against DDoS attacks as all requests need to be processed in some way. True DDoS mitigation can be implemented only via some sort of hardware-based solution.

If you suspect that you are under a DDOS attack, then enable the rate limiting feature in BitNinja.


BitNinja blocks most of the infected server’s IP addresses via the challenge list or the block list. So most o the malicious attacks are already blocked

  1. Check the number of connections per IP addresses with this command
    netstat -ant | grep ESTAB | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -rn|head -n 10
  2. Lower the DoS protection’s threshold value in the /etc/bitninja/DosDetection/config.ini file this way eliminating most of the danger.
  3. Go to /etc/bitninja/DosDetection/config.ini
  4. Under the [tresholds] flag with the general variable you can limit the number of connections per Ip addresses you can also set the number of maximal connections per IP per ports
  1. Reload the module with bitninjacli --module=DosDetection --reload command
  2. Run: netstat -antu | grep -v LISTEN | awk '{print $5}' | cut -d: -f1 | sort | uniq -c again to check the results
You can check if the changes have taken effect with the bitninjacli --module=DosDetection --show-config command
The General threshold setting in the Configurations -> DOS Detection menu does NOT apply to ports 80, 443, 60300, 60301. It only applies to ports that are have no specific threshold set up.

The default threshold for ports 80 and 443 is 200 connections per IP address. If the attack is coming via HTTP or HTTPS then you will need to add the below two lines to the config.
local[80] = <limit here>
local[443] = <limit here>

If the WAF module is enabled then the attackers are connecting via port 60300 and port 60301.
In these ports’ cases, the DosDetection module’s default threshold is also 200.

So the below lines need to be added to the config file:
local[60300] = <limit here>
local[60301] = <limit here>

You can block IP addresses manually by challenge listing them or block listing them from the Dashboard

  • Go to the Firewall -> Block list menu, and add the IP addresses to your block list or use
    bitninjacli --blacklist --add=<IP address>
  • Insert the IP into the search field and click on the “+ challenge list” button or use bitninjacli --greylist --add=<IP address>
In this case, we assume that everything is correctly configured.

– If you use any Proxy or load balancer or CDN service the trusted proxy module must be enabled and the X-Forwarded-For header set up correctly. You can find the instructions here.
– If the WAF module is enabled either the Transparent proxy mode or the X-Forwarded-For header needs to be set up. You can find the instructions here.

Views: 49