Server slowness may be caused by many events, such as incorrect configurations, scripts, and poor hardware. But sometimes it may be caused by a flood attack on your server using DoS or DDoS.
DoS attacks or DDoS attacks are attacks that try to make machines or network resources unavailable. The attack target websites or services are usually hosted on Anti-DDoS servers such as banks, credit card payment network management, and even root domain servers. DOS attacks usually force the target to restart the computer or consume resources, so that they no longer provide services or impede access by users and visitors.
In this small article, you can know how to use the netstat command in the terminal to check your server after being attacked.
Examples and explanations
Netstat-na displays all active network connections to the server. netstat-an | grep: 80 | sort only displays Active Network Connections connected to port 80. Port 80 is the http port, this is useful for web servers and sorting results. the netstat-n-p | grep SYN_REC | wc-l command is very useful for finding active SYNC_REC on the server, the number should be very low, preferably less than 5. in dos attacks and email bombs, this number may be very high. however, the value usually depends on the system, so the high value may be evenly distributed to another server. netstat-n-p | grep SYN_REC | sort-u lists all included IP addresses, not just counts. netstat-n-p | grep SYN_REC | awk '{print $5}' | awk-F: '{print $1}' lists the connection status of SYN_REC sent by all different IP address nodes. netstat-ntu | awk' {print $5} '| cut-d: -f1 | sort | uniq-c | sort-n use the netstat command to calculate the number of connections from each IP address to the server. netstat-anp | grep 'tcp | udp' | awk '{print $ 5} '| cut-d: -f1 | sort | uniq-c | sort-n lists the number of tcp and udp connections to the server. netstat-ntu | grep ESTAB | awk '{print $5}' | cut-d: -f1 | sort | uniq-c | sort-nr checks the ESTABLISHED connection instead of all connections, which allows the number of connections to each ip address netstat-plan | grep: 80 | awk {'print $ 5'} | cut-d:-f 1 | sort | uniq-c | sort-nk 1 shows and lists the IP addresses and connections to port 80. 80 is used as HTTP
How to mitigate DDoS attacks
When you find that the IP address of your server is attacked, you can use the following command to close their connection:
Iptables-a input 1-s $ IPADRESS-j DROP/REJECT
Please note that you must replace $ IPADRESS with the number of IP addresses you have found using the netstat command.
After completing the preceding commands, use the following command to kill all httpd connections, clear your system, and restart the httpd service.
Killall-KILL httpd service httpd start # For Red Hat systems/etc/init/d/apache2 restar