How to check if a Linux server is compromised by a DDoS attack

Log on to your server with the root user to execute the following command, using it you can check whether your server is in a DDoS attack or not:

NETSTAT-ANP |grep ' tcp\|udp ' | awk ' {print $} ' | Cut-d:-f1 | Sort | uniq-c | Sort–n

This command displays a list of the maximum number of IPs that are logged on that are connected to the server.

DDoS becomes more complex, as attackers use fewer connections, more IP-attacking servers, and you get fewer connections, even if your server is attacked. It is important that you check the current active connection information for your server and execute the following command:

Netstat-n | Grep:80 |wc–l

The above command will show all active connections that open your server.

You can also use the following command:

Netstat-n | grep:80 | grep SYN |wc–l

The result of a valid connection from the first command will be different, but if it shows a connection greater than 500, then there will be a problem.

If the result of the second command is 100 or more, the server may be attacked synchronously.

Once you get a list of IPs attacking your server, you can easily block it.

Isomorphism the following command to block IP or any other specific IP:

Route add IPAddress Reject

Once you have organized a specific IP access on the server, you can check it to prevent tofu from being effective.

By using the following command:

Route-n |grep IPaddress

You can also block the specified IP with iptables by using the following command.

Iptables-a INPUT 1-s ipadress-j drop/reject

Service Iptables Restart

Service Iptables Save

After the above command is executed, stop the HTTPD connection and restart the httpd service.

Use the following command:

Killall-kill httpd

Service httpd Startssl

How to check if a Linux server is compromised by a DDoS attack