How do I use the netstat command to verify a DDoS intrusion?

In general, the server is very slow and may be caused by a variety of configuration errors, script errors, or some strangeness hardware. It's also possible that someone has a Dos (denial of service) or DDOS (Distributed denial of service) attack on your server.

In general, the server is very slow and may be caused by a variety of configuration errors, script errors, or some strangeness hardware. It's also possible that someone has a Dos (denial of service) or DDOS (Distributed denial of service) attack on your server.

A Dos attack or DDoS attack is intended to deplete the server or network resources, making it unusable for other users. In general, this attack is primarily targeted at important websites or services, such as banks, credit card payment gateways, or even root domain servers. Dos attacks mainly by forcing the target host to restart or large consumption of its host resources, so that the target host can not provide services or hinder communication between the host and the user means, so that the host can not provide normal service.

In this article you will know how to use the netstat command in a terminal to determine whether a server is under a Dos attack.

The user Manual of the netstat command describes what it does to show network connections, routing tables, interface statistics, pseudo-joins, and multicast members.

Some examples and explanations

This command displays all active network connections.

Displays all 80 port network connections and sorts. The 80 port here is an HTTP port, so it can be used to monitor Web services. If you see a large number of connections to the same IP, you can determine the single-point traffic attack.

This command can find out how many active Sync_rec connections the current server has. Normally this value is small, preferably less than 5. This value is quite high when there is a Dos attack or a mail bomb. Nonetheless, this value is very much related to the system, and some server values are high and normal.

Lists all connected IP addresses.

Lists all IP addresses that send Syn_rec connection nodes.

Use the netstat command to calculate the number of connections per host to the local computer.

Lists the IP number of all UDP or TCP connections that are connected to this computer.

Check the established connection and list the number of connections per IP address.

Lists all IP addresses connected to the native 80 port and their number of connections. Port 80 is typically used to process HTTP Web requests.

How to reduce Dos attacks

Once you get the IP address of the attack server you can use the following command to deny all connections to this IP.

Note that you need to replace the $IPADRESS with the IP address that you want to deny the connection to.

After executing the above command, use the following command to end all httpd connections to clean up the system.

Then execute the following command to restart the httpd service.

How do I use the netstat command to verify a DDoS intrusion?