Use the netstat command on CentOS to verify DDOS attacks

Source: Internet
Author: User

Server slowness may be caused by many events, such as incorrect configurations, scripts, and poor hardware. But sometimes it may be caused by a flood attack on your server using DoS or DDoS.

DoS attacks or DDoS attacks are attacks that try to make machines or network resources unavailable. The attack target websites or services are usually hosted on Anti-DDoS servers such as banks, credit card payment network management, and even root domain servers. DOS attacks usually force the target to restart the computer or consume resources, so that they no longer provide services or impede access by users and visitors.

In this small article, you can know how to use the netstat command in the terminal to check your server after being attacked.

Examples and explanations

Netstat-na displays all active network connections to the server. netstat-an | grep: 80 | sort only displays Active Network Connections connected to port 80. Port 80 is the http port, this is useful for web servers and sorting results. the netstat-n-p | grep SYN_REC | wc-l command is very useful for finding active SYNC_REC on the server, the number should be very low, preferably less than 5. in dos attacks and email bombs, this number may be very high. however, the value usually depends on the system, so the high value may be evenly distributed to another server. netstat-n-p | grep SYN_REC | sort-u lists all included IP addresses, not just counts. netstat-n-p | grep SYN_REC | awk '{print $5}' | awk-F: '{print $1}' lists the connection status of SYN_REC sent by all different IP address nodes. netstat-ntu | awk' {print $5} '| cut-d: -f1 | sort | uniq-c | sort-n use the netstat command to calculate the number of connections from each IP address to the server. netstat-anp | grep 'tcp | udp' | awk '{print $ 5} '| cut-d: -f1 | sort | uniq-c | sort-n lists the number of tcp and udp connections to the server. netstat-ntu | grep ESTAB | awk '{print $5}' | cut-d: -f1 | sort | uniq-c | sort-nr checks the ESTABLISHED connection instead of all connections, which allows the number of connections to each ip address netstat-plan | grep: 80 | awk {'print $ 5'} | cut-d:-f 1 | sort | uniq-c | sort-nk 1 shows and lists the IP addresses and connections to port 80. 80 is used as HTTP

How to mitigate DDoS attacks

When you find that the IP address of your server is attacked, you can use the following command to close their connection:

Iptables-a input 1-s $ IPADRESS-j DROP/REJECT

Please note that you must replace $ IPADRESS with the number of IP addresses you have found using the netstat command.

After completing the preceding commands, use the following command to kill all httpd connections, clear your system, and restart the httpd service.

Killall-KILL httpd service httpd start # For Red Hat systems/etc/init/d/apache2 restar

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.