Measure the test taker's knowledge about the CC attack netstat command.

View the number of connections on all port 80
Copy codeThe Code is as follows: netstat-nat | grep-I "80" | wc-l

Sort connected IP addresses by number of connections
Copy codeThe Code is as follows: netstat-ntu | awk '{print $5}' | cut-d:-f1 | sort | uniq-c | sort-n

View TCP connection status
Copy codeThe Code is as follows: netstat-nat | awk '{print $6}' | sort | uniq-c | sort-rn
Netstat-n | awk '/^ tcp/{++ S [$ NF]}; END {for (a in S) print a, S [a]}'
Netstat-n | awk '/^ tcp/{++ state [$ NF]}; END {for (key in state) print key, "\ t ", state [key]}'
Netstat-n | awk '/^ tcp/{++ arr [$ NF]}; END {for (k in arr) print k, "\ t ", arr [k]}'
Netstat-n | awk '/^ tcp/{print $ NF}' | sort | uniq-c | sort-rn
Netstat-ant | awk '{print $ NF}' | grep-v '[a-z]' | sort | uniq-c

View the 20 IP addresses with the maximum number of connections on port 80
Copy codeThe Code is as follows: netstat-anlp | grep 80 | grep tcp | awk '{print $5}' | awk-F: '{print $1}' | sort | uniq-c | sort-nr | head-n20
Netstat-ant | awk '/: 80/{split ($5, ip ,":"); + A [ip [1]} END {for (I in A) print A, I} '| sort-rn | head-n20

Use tcpdump to sniff access to port 80.
Copy codeThe Code is as follows: tcpdump-I eth0-tnn dst port 80-c 1000 | awk-F ". "'{print $1 ″. "$2 ″. "$3 ″. "$4} '| sort | uniq-c | sort-nr | head-20

Find more time_wait connections Copy codeThe Code is as follows: netstat-n | grep TIME_WAIT | awk '{print $5}' | sort | uniq-c | sort-rn | head-n20

Search for many SYN connections
Copy codeThe Code is as follows: netstat-an | grep SYN | awk '{print $5}' | awk-F: '{print $1}' | sort | uniq-c | sort-nr | more