Linux system uses netstat command to view DDoS attack methods

Linux system uses netstat command to view DDoS attack methods Source: Internet anonymous time: 07-05 15:10:21 "Big Small" This article mainly introduces the Linux system using netstat command to view the DDoS attack method, which is very important for network security! A friend you need can refer to the following

The Linux system uses the netstat command to view the DDoS attack specific commands using the following:

Copy CodeThe code is as follows: Netstat-na

Show all active network connections to the server

Copy CodeThe code is as follows: Netstat-an | grep:80 | Sort

Only active network connections to 80 segments are shown, and 80 is the HTTP port, which is useful for Web servers and sorts the results. It's very useful for you to find a single launch flood attack IP from many connections

Copy CodeThe code is as follows: Netstat-n-p|grep Syn_rec | Wc-l

This command is useful for finding active sync_rec on the server, which should be very low, preferably less than 5.
In Dos attacks and mail bombs, this number can be very high. However, the value is usually dependent on the system, so the high value may be split equally to the other server.

Copy CodeThe code is as follows: Netstat-n-P | grep Syn_rec | Sort-u

Lists all included IP addresses, not just the count.

Copy CodeThe code is as follows: Netstat-n-P | grep Syn_rec | awk ' {print $} ' | Awk-f: ' {print '} '

Lists all the different IP address nodes that send Syn_rec connection status

Copy CodeThe code is as follows: Netstat-ntu | awk ' {print $} ' | Cut-d:-f1 | Sort | uniq-c | Sort-n

Use the netstat command to calculate the number of connections per IP address to the server

Copy CodeThe code is as follows: Netstat-anp |grep ' tcp|udp ' | awk ' {print $} ' | Cut-d:-f1 | Sort | uniq-c | Sort-n

List the number of connections to the server using TCP and UDP

Copy CodeThe code is as follows: Netstat-ntu | grep estab | awk ' {print $} ' | Cut-d:-f1 | Sort | uniq-c | Sort-nr

Check established connections, not all connections, this can be the number of connections per IP

Copy CodeThe code is as follows: Netstat-plan|grep:80|awk {' Print $ $ '}|cut-d:-F 1|SORT|UNIQ-C|SORT-NK 1

Displays and lists the connections to 80 port IP address and number of connections. 80 is used as an HTTP
How to mitigate DDoS attacks

When you find the IP that attacks your server you can use the following command to close their connection:

Copy CodeThe code is as follows: Iptables-a INPUT 1-s $IPADRESS-j drop/reject

Please note that you must replace $ipadress with the number of IP you find using the netstat command

Linux system uses netstat command to view DDoS attack methods