Linux Check cc attack

What is a cc attack?

A CC attack is the use of a large number of proxy servers to initiate a large number of connections to target computers, causing the target server resource exhaustion to cause denial of service. So how to judge the query cc attack?

This article mainly introduces some Linux commands for judging cc attacks.

View connections for all 80 ports

Netstat-nat|grep-i "|wc-l"

Sort the connected IP by the number of connections

NETSTAT-ANP | grep ' TCP\|UDP ' | awk ' {print $} ' | Cut-d:-f1 | Sort | uniq-c | Sort-n

Netstat-ntu | awk ' {print $} ' | Cut-d:-f1 | Sort | uniq-c | Sort-n

Netstat-ntu | awk ' {print $} ' | Egrep-o "[0-9]{1,3}\. [0-9] {1,3}\. [0-9] {1,3}\. [0-9] {1,3} "| Sort | uniq-c | Sort-nr

View TCP connection Status

Netstat-nat |awk ' {print $6} ' |sort|uniq-c|sort-rn

Netstat-n | awk '/^tcp/{print $NF} ' |sort|uniq-c|sort-rn

Netstat-n | awk '/^tcp/{++s[$NF]}; END {for (a in S) print A, s[a]} '

Netstat-n | awk '/^tcp/{++state[$NF]}; END {for (key in) print key, "\ T", State[key]} '

Netstat-n | awk '/^tcp/{++arr[$NF]}; END {for (k in arr) print K, "\ T", arr[k]} '

Netstat-ant | awk ' {print $NF} ' | Grep-v ' [A-z] | Sort | Uniq-c

See the 20 IPs with the highest number of 80 port connections

Cat/www/web_logs/waitalone.cn_access.log|awk ' {print '} ' |sort|uniq-c|sort-nr|head-100

Tail-n 10000/www/web_logs/waitalone.cn_access.log|awk ' {print $} ' |sort|uniq-c|sort-nr|head-100

Cat/www/web_logs/waitalone.cn_access.log|awk ' {print '} ' |sort|uniq-c|sort-nr|head-100

Netstat-anlp|grep 80|grep Tcp|awk ' {print $} ' |awk-f: ' {print '} ' |sort|uniq-c|sort-nr|head-n20

Netstat-ant |awk '/:80/{split ($5,ip, ":"); ++a[ip[1]]}end{for (i in A) print A,i} ' |sort-rn|head-n20

Sniff 80-port access with tcpdump to see who is the tallest

Tcpdump-i ETH0-TNN DST Port 80-c 1000 | Awk-f "." ' {print $ '. $ "." $ "." $4} ' | Sort | uniq-c | Sort-nr |head-20

Find more time_wait connections

Netstat-n|grep Time_wait|awk ' {print $} ' |sort|uniq-c|sort-rn|head-n20

Find more SYN connections

Netstat-an | grep SYN | awk ' {print $} ' | Awk-f: ' {print $} ' | Sort | uniq-c | Sort-nr | More

Some common commands for iptables IP segments under Linux:

The commands for a single IP are:

Iptables-i input-s 211.1.0.0-j DROP

The command for the IP segment is:

Iptables-i input-s 211.1.0.0/16-j DROP

Iptables-i input-s 211.2.0.0/16-j DROP

Iptables-i input-s 211.3.0.0/16-j DROP

The command that seals the whole paragraph is:

Iptables-i input-s 211.0.0.0/8-j DROP

The commands to seal several paragraphs are:

Iptables-i input-s 61.37.80.0/24-j DROP

Iptables-i input-s 61.37.81.0/24-j DROP

There are three ways to start self-running on a server:

1. Add it to the/etc/rc.local

2, Iptables-save >/etc/sysconfig/iptables can put your current iptables rules into the/etc/sysconfig/iptables, the system starts iptables automatically
Yes.

3, service Iptables save can also put your current iptables rules in/etc/sysconfig/iptables, the system starts iptables automatic execution.

The latter two are better, and the general Iptables service will be more secure before the network service is restarted.

To unpack the words:

iptables-d input-s IP Address-j REJECT

The iptables-f all cleared away.

Linux Check cc attack