March 2024
M T W T F S S
 123
45678910
11121314151617
18192021222324
25262728293031

Categories

March 2024
M T W T F S S
 123
45678910
11121314151617
18192021222324
25262728293031

Netstat

HOW TO CHECK WHETHER LINUX SERVER IS UNDER DDOS ATTACK

DDOS – Distributed Denial of service attack 

DDOS or DOS (Denial of service ) is an attack in the server , where the server resources become unavailable to the users. It can be typically defined as the loss of network connectivity and services by consuming the bandwidth and resources of the victim network or overloading the victim server. Attempts to “flood” a network with bogus packets , there by preventing legitimate traffic is the common form of attack. 

Display all active Internet connections to the server and only established connections are included. 

 #netstat -an | grep :80 | sort

Show only active Internet connections to the server on port 80 and sort the results. Useful in detecting a single flood by allowing you to recognize many connections coming from one IP. 

 #netstat -n -p|grep SYN_REC | wc -l

To find out how many active SYNC_REC are occurring on the server. The number should be pretty low, preferably less than 5. On DoS attack incidents or mail bombs, the number can jump to pretty high. However, the value always depends on system, so a high value may be average on another server

 #netstat -n -p | grep SYN_REC | sort -u

List all IP addresses involved. 

 #netstat -n -p | grep SYN_REC | awk ‘{print $5}’ | awk -F: ‘{print $1}’

List all the unique IP addresses of the nodes that are sending SYN_REC connection status. 

 #netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n

Use netstat command to calculate and count the number of connections each IP address makes to the server

 #netstat -anp |grep ‘tcp\|udp’ | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n

List the number of connections the IPs are making to the server using TCP or UDP protocol

 #netstat -ntu | grep ESTAB | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -nr

Check on ESTABLISHED connections instead of all connections, and display the number of connections for each IP. 

 #netstat -plan|grep :80|awk {‘print $5?}|cut -d: -f 1|sort|uniq -c|sort -nk 1

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>