Linux-ddos detection

Netstat-na# shows all active network connections to the server netstat-an | Grep: the|sort# only shows active network connections to 80 segments, and 80 is the HTTP port, which is useful for Web servers and sorts the results. It is useful for you to find a single launch flood attack IP from many connections netstat-n-p|grep Syn_rec | WC-l# This command is very useful for finding active sync_rec on the server, the number should be very low, preferably less than 5.# in Dos attacks and mail bombs, this number may be very high. However, the value is usually dependent on the system, so the high value may be split equally to the other server. Netstat -n-p | grep Syn_rec | Sort-u# lists all included IP addresses, not just the count. Netstat-n-p | grep Syn_rec | Awk'{print $}'| Awk-f:'{print $}'# List all the different IP address nodes to send Syn_rec connection status netstat-ntu | Awk'{print $}'| Cut-d:-f1 | Sort | uniq-c | Sort-n# uses the netstat command to calculate the number of connections per IP address to the server netstat-ANP |grep'tcp|udp'| Awk'{print $}'| Cut-d:-f1 | Sort | uniq-c | Sort-n# lists the number of connections to the server using TCP and UDP netstat-ntu | grep estab | Awk'{print $}'| Cut-d:-f1 | Sort | uniq-c | Sort-nr# Check established connection instead of all connections, this can be the number of connections per IP netstat-plan|grep: the|awk {'Print $'}|cut-d:-F1|sort|uniq-c|sort-nk1# shows and lists connections to 80 port IP address and number of connections. 80 is used as an HTTP

To judge the CC attack command

Anti-CC attack, recommended to use Httpguard

# View all 80-port connections netstat-nat|grep-i" the"|WC-l# Sorts the connected IP by the number of connections netstat-ntu | Awk'{print $}'| Cut-d:-f1 | Sort | uniq-c | Sort-n# View TCP connection status netstat-nat |awk'{print $6}'|sort|uniq-c|sort-Rnnetstat-N | Awk'/^tcp/{++s[$NF]}; END {for (a in S) print A, S[a]}'netstat-N | Awk'/^tcp/{++state[$NF]}; END {for (key in) print key, "\ T", State[key]}'netstat-N | Awk'/^tcp/{++arr[$NF]}; END {for (k in arr) print K, "\ T", arr[k]}'netstat-N |awk'/^tcp/{print $NF}'|sort|uniq-c|sort-Rnnetstat-ant | Awk'{print $NF}'| Grep-v'[A-z]'| Sort | Uniq-C # View 80 port connections up to 20 Ipnetstat-anlp|grep the|grep Tcp|awk'{print $}'|awk-f:'{print $}'|sort|uniq-c|sort-nr|head-N20netstat-ant |awk'/:80/{split ($5,ip, ":"); ++a[ip[1]]}end{for (i in A) print A,i}'|sort-rn|head-n20# with tcpdump Sniff 80 port to see who's Up top tcpdump-I ETH0-TNN DST Port the-C +| Awk-f"." '{print $ "." $ "." $ "." $4}'| Sort | uniq-c | Sort-nr |head- -# Find more time_wait connections netstat-n|grep Time_wait|awk'{print $}'|sort|uniq-c|sort-rn|head-n20# Find more SYN connections netstat-an | grep SYN | Awk'{print $}'| Awk-f:'{print $}'| Sort | uniq-c | Sort-nr | More

Linux-ddos detection