How to Use the netstat command on Linux to verify DDOS attacks

Server slowness may be caused by many events, such as incorrect configurations, scripts, and poor hardware. But sometimes it may be caused by a flood attack on your server using DOS or DDOS.
DOS attacks or DDOS attacks are attacks that try to make machines or network resources unavailable. The attack target websites or services are usually hosted on Anti-DDoS servers such as banks, credit card payment network management, and even root domain servers. DOS attacks usually force the target to restart the computer or consume resources, so that they no longer provide services or impede access by users and visitors.
In this small article, you can know how to use the netstat command in the terminal to check your server after being attacked.
 
Examples and explanations
1. netstat-na
2. Display All Active Network Connections connected to the server
3. netstat-an | grep: 80 | sort
4. only active network connections connected to port 80 and port 80 are displayed, which is very useful for web servers and sorting the results. it is useful for finding a single flood attack IP address from many connections.
5. netstat-n-p | grep SYN_REC | wc-l
6. This command is very useful for finding active SYNC_REC on the server. The number should be very low, preferably less than 5.
7. In dos attacks and email bombs, this number may be very high. However, the value is usually dependent on the system, so the high value may be evenly distributed to another server.
8. netstat-n-p | grep SYN_REC | sort-u
9. list all included IP addresses, not just count.
10. netstat-n-p | grep SYN_REC | awk '{print $5}' | awk-F: '{print $1 }'
11. List the connection status of SYN_REC sent by all different IP address nodes
12. netstat-ntu | awk '{print $5}' | cut-d:-f1 | sort | uniq-c | sort-n
13. Run the netstat command to calculate the number of connections from each IP address to the server.
14. netstat-anp | grep 'tcp | udp' | awk '{print $5}' | cut-d:-f1 | sort | uniq-c | sort-n
15. List the number of tcp and udp connections to the server
16. netstat-ntu | grep ESTAB | awk '{print $5}' | cut-d:-f1 | sort | uniq-c | sort-nr
17. Check the ESTABLISHED connection instead of all connections, which can be the number of connections per ip address.
18. netstat-plan | grep: 80 | awk {'print $ 5'} | cut-d:-f 1 | sort | uniq-c | sort-nk 1
19. Display and list the IP addresses and connections to port 80. 80 is used as HTTP
How to mitigate DDOS attacks
When you find that the IP address of your server is attacked, you can use the following command to close their connection:
1. iptables-a input 1-s $ IPADRESS-j DROP/REJECT


 
Please note that you must replace $ IPADRESS with the number of IP addresses you have found using the netstat command.
After completing the preceding commands, use the following command to kill all httpd connections, clear your system, and restart the httpd service.

           killall -KILL httpd                      service httpd start           #For Red Hat systems           /etc/init/d/apache2 restart   #For Debian systems

 

By the evil Red Information Security Organization (OWL)