In Linux, how does one query CC attacks?

What is a CC attack? CC attacks use a large number of proxy servers to initiate a large number of connections to the target computer, resulting in depletion of the target server resources and DOS. So how can we determine whether to query CC attacks? This article mainly introduces some commands for judging CC attacks in Linux.

View the number of connections on all port 80

Netstat-nat | grep-I "80" | wc-l

Sort connected IP addresses by number of connections

Netstat-anp | grep 'tcp \ | udp' | awk '{print $5}' | cut-d:-f1 | sort | uniq-c | sort-n

Netstat-ntu | awk '{print $5}' | cut-d:-f1 | sort | uniq-c | sort-n

Netstat-ntu | awk '{print $5}' | egrep-o "[0-9] {1, 3 }\. [0-9] {1, 3 }\. [0-9] {1, 3 }\. [0-9] {1, 3} "| sort | uniq-c | sort-nr

View TCP connection status

Netstat-nat | awk '{print $6}' | sort | uniq-c | sort-rn

Netstat-n | awk '/^ tcp/{print $ NF}' | sort | uniq-c | sort-rn

Netstat-n | awk '/^ tcp/{++ S [$ NF]}; END {for (a in S) print a, S [a]}'

Netstat-n | awk '/^ tcp/{++ state [$ NF]}; END {for (key in state) print key, "\ t ", state [key]}'

Netstat-n | awk '/^ tcp/{++ arr [$ NF]}; END {for (k in arr) print k, "\ t ", arr [k]}'

Netstat-ant | awk '{print $ NF}' | grep-v '[a-z]' | sort | uniq-c

View the 20 IP addresses with the maximum number of connections on port 80

Cat/www/web_logs/waitalone.cn _ access. log | awk '{print $1}' | sort | uniq-c | sort-nr | header-100

Tail-n 10000/www/web_logs/waitalone.cn _ access. log | awk '{print $1}' | sort | uniq-c | sort-nr | head-100

Cat/www/web_logs/waitalone.cn _ access. log | awk '{print $1}' | sort | uniq-c | sort-nr | header-100

Netstat-anlp | grep 80 | grep tcp | awk '{print $5}' | awk-F: '{print $1}' | sort | uniq-c | sort-nr | head-n20

Netstat-ant | awk '/: 80/{split ($5, ip ,":"); + A [ip [1]} END {for (I in A) print A, I} '| sort-rn | head-n20

Use tcpdump to sniff access to port 80.

Tcpdump-I eth0-tnn dst port 80-c 1000 | awk-F ". "'{print $1 ". "$2 ". "$3 ". "$4} '| sort | uniq-c | sort-nr | head-20

Find more time_wait connections

Netstat-n | grep TIME_WAIT | awk '{print $5}' | sort | uniq-c | sort-rn | head-n20

Search for many SYN connections

Netstat-an | grep SYN | awk '{print $5}' | awk-F: '{print $1}' | sort | uniq-c | sort-nr | more

Common commands for using iptables to block ip segments in linux:

The command to block a single IP address is:

Iptables-I INPUT-s 211.1.0.0-j DROP

The command to block IP segments is:

Iptables-I INPUT-s 211.1.0.0/16-j DROP

Iptables-I INPUT-s 211.2.0.0/16-j DROP

Iptables-I INPUT-s 211.3.0.0/16-j DROP

The command to block the entire segment is:

Iptables-I INPUT-s 211.0.0.0/8-j DROP

The command for sealing several segments is:

Iptables-I INPUT-s 61.37.80.0/24-j DROP

Iptables-I INPUT-s 61.37.81.0/24-j DROP

There are three methods to start self-running on the server:

1. Add it to/etc/rc. local.

2. iptables-save>/etc/sysconfig/iptables can put your current iptables rules into/etc/sysconfig/iptables, which is automatically executed when the system starts iptables.

3. service iptables save can also put your current iptables rules in/etc/sysconfig/iptables. The system automatically runs iptables when it starts.

The last two are better. Generally, the iptables service is enabled before the network service, which is safer.

To unseal:

Iptables-d input-s IP address-j REJECT

Iptables-F cleared