How to check whether a Linux server is under DDOS Attack

How to check whether a Linux server is under DDOS Attack

Address: http://www.phpthinking.com/archives/427

Log on to your server and run the following command as the root user to check whether your server is under DDOS Attack:
Netstat-anp | grep 'tcp \ | udp' | awk '{print $5}' | cut-d:-f1 | sort | uniq-c | sort-n
This command displays the list of the maximum number of IP addresses that have been logged on to the server.

DDOS becomes more complex, because when attackers use fewer connections and more IP addresses to attack servers, you get fewer connections, even if your server is attacked. It is important to check the active connection information of your server and execute the following command:
Netstat-n | grep: 80 | wc-l
The above command will show all the active connections that open your server.

You can also use the following command:
Netstat-n | grep: 80 | grep SYN | wc-l
The results of the valid connection from the First Command will be different, but if it shows that the connection exceeds 500, then there will certainly be a problem.

If the result of the second command is 100 or above, the server may be attacked synchronously.

Once you get a list of IP addresses that attack your server, you can easily block it.

The command below is homogeneous to block IP addresses or any other specific IP addresses:

Route add ipaddress reject

Once you organize access from a specific IP address on the server, you can check that the bean curd blocking is effective.

Run the following command:

Route-n | grep IPaddress

You can also use the following command to block a specified IP address using iptables.

Iptables-a input 1-s IPADRESS-j DROP/REJECT

Service iptables restart

Service iptables save

After the preceding command is executed, stop the httpd connection and restart the httpd service.

Run the following command:

Killall-KILL httpd

Service httpd startssl