I believe everyone is familiar with netstat command, this is the main use of this command. Online DDoS Deflate tool is the use of IP number to count the number of external connections, and then combined with iptables method to achieve an IP blacklist and unblock an IP
Netstat-ntu | awk ' {print $} ' | Cut-d:-f1 | Sort | uniq-c | Sort-n
the commands used. There are obvious deficiencies, such as not inferring whether the local connection 127.0.0.1 or random address identifies the 0.0.0.0 or empty case, nor does it remove the first two lines of text header from the netstat output. And should be output in descending order
My own version number:
Netstat-ant |sed ' d ' | awk ' {print $} ' | Sort | cut-d:-f1 |awk ' {if ($1!= "0.0.0.0" && $1!= "" && $1!= "127.0.0.1") {print $}} ' | Uniq-c |SORT-NR
the output is :
2 173.194.72.95
1 98.254.64.168
1 91.189.89.144
1 91.122.59.53
1 82.208.89.58
1 81.7.14.114
1 70.112.226.65
1 180.76.22.33
1 143.215.130.46
1 126.107.72.9
1 117.79.93.218
Set a threshold value. If a moment. If the total number of IP1 for an external connection exceeds this value, the blacklist is added (Ip1,starttime). Then iptables-t filter-a input-s IP1 DROP.
Linux monitor external IP connectivity at some point