How to use the netstat command on Linux to verify DDOS attacks

Source: Internet
Author: User
Server slowness may be caused by many events, such as incorrect configurations, scripts, and poor hardware. But sometimes it may be caused by a flood attack on your server using DoS or DDoS. DoS attacks or DDoS attacks are attacks that try to make the machine or network resources unavailable: DDoSnetstat

Server slowness may be caused by many events, such as incorrect configurations, scripts, and poor hardware. But sometimes it may be caused by a flood attack on your server using DoS or DDoS.

DoS attacks or DDoS attacks are attacks that try to make machines or network resources unavailable. The attack target websites or services are usually hosted on anti-DDoS servers such as banks, credit card payment network management, and even root domain servers. DOS attacks usually force the target to restart the computer or consume resources, so that they no longer provide services or impede access by users and visitors.

In this small article, you can know how to use the netstat command in the terminal to check your server after being attacked.

Examples and Explanations

Netstat-na
Show all active network connections to the server
Netstat-an | grep: 80 | sort
Only active network connections connected to port 80 and port 80 are displayed, which is very useful for web servers and sorting the results. it is useful for finding a single flood attack IP address from many connections.
Netstat-n-p | grep SYN_REC | wc-l
This command is very useful for finding active SYNC_REC on the server. the number should be very low, preferably less than 5.
In dos attacks and email bombs, this number may be very high. However, the value usually depends on the system, so the high value may be evenly distributed to another server.
Netstat-n-p | grep SYN_REC | sort-u
List all included IP addresses, not just counts.
Netstat-n-p | grep SYN_REC | awk '{print $5}' | awk-F: '{print $1 }'
Lists the connection status of SYN_REC sent by all different IP address nodes.
Netstat-ntu | awk '{print $5}' | cut-d:-f1 | sort | uniq-c | sort-n
Use the netstat command to calculate the number of connections to the server from each IP address
Netstat-anp | grep 'tcp | udp' | awk '{print $5}' | cut-d:-f1 | sort | uniq-c | sort-n
List the number of tcp and udp connections to the server
Netstat-ntu | grep ESTAB | awk '{print $5}' | cut-d:-f1 | sort | uniq-c | sort-nr
Check the ESTABLISHED connection instead of all connections, which can be the number of connections per ip address.
Netstat-plan | grep: 80 | awk {'print $ 5'} | cut-d:-f 1 | sort | uniq-c | sort-nk 1
Displays and lists the IP addresses and connections to port 80. 80 is used as an HTTP

How to mitigate DDoS attacks

When you find that the IP address of your server is attacked, you can use the following command to close their connection:

iptables -A INPUT 1 -s $IPADRESS -j DROP/REJECT

Please note that you must replace $ IPADRESS with the number of IP addresses you have found using the netstat command.

After completing the preceding commands, use the following command to kill all httpd connections, clear your system, and restart the httpd service.

killall -KILL httpd service httpd start #For Red Hat systems /etc/init/d/apache2 restart #For Debian systems

By the evil Red Information Security Organization (OWL)

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.