DDoS - Distributed Denial Of Service are attacks making computer system or network overload, unable to provide the service or having to stop operating. In DDoS attacks, the server service will be "flooded" by a series of commands accessible from the huge amount of connectivity.
When the access command too great, the server will be overloaded and no longer able to handle the request. Consequently, users can not access the services on the site of DDoS attacks.
Here are some basic commands to check server in this case.
- Count the amount of connection on Port 80:
netstat -n | grep :80 |wc -l
- Check the connection numbers are SYN_RECV status:
netstat -n | grep :80 | grep SYN_RECV|wc -l
- Displays all IP connected and the number of connections from each IP:
netstat -an|grep :80 |awk '{print $5}'|cut -d":" -f1|sort|uniq -c|sort -rn
- If you want to check what IP open multiple SYN then added:
netstat -an | grep: 80 | grep SYN | awk '{print $ 5}' | cut -d ":" -f1 | sort | uniq -c | sort -rn
- As for servers with multiple IP, to check what IP is under attack:
-plan netstat | grep: 80 | awk '{print $ 4}' | cut -d: -f1 | sort | uniq -c
- Displays all IP connected and the number of connections from each IP:
netstat -an | grep ': 80' | awk '{print $ 5}' | sed 's /' :: ffff: '// | cut -d ":" -f1 | sort | uniq -c
- Displays the number of connections each
netstat -an | grep: 80 | awk '{print $ 6}' | sort | uniq -c
61 ESTABLISHED
13 FIN_WAIT1
17 FIN_WAIT2
1 LISTEN
25 SYN_RECV
298 TIME_WAIT
- Displays all IP connected and the number of connections from each IP
watch "netstat -an | grep ': 80' | awk '{print \ $ 5}' | sed 's /' :: ffff: '// | cut -d \": \ "-f1 | sort | uniq -c"
watch "netstat -an | grep: 80 | awk '{print \ $ 6}' | sort | uniq -c"
Once detected signs of unusual IP, you can use the CSF to which IP block.
Không có nhận xét nào:
Đăng nhận xét