May 102014
 

terminal1.jpg
Your server appearing pretty slow could be many things from wrong configs, scripts and dodgy hardware – but sometimes it could be because someone is flooding your server with traffic known as DoS ( Denial of Service ) or DDoS ( Distributed Denial of Service ).

Denial-of-service attack (DoS attack) or Distributed Denial-of-service attack (DDoS attack) is an attempt to make a machine or network resource unavailable to its intended users. This attack generally target sites or services hosted on high-profile web servers such as banks, credit card payment gateways, and even root nameservers. DoS attacks are implemented by either forcing the targeted computer to reset, or consuming its resources so that it can no longer provide its services or obstructs the communication media between the users and the victim so that they can no longer communicate adequately.

In this small article you’ll see how to check if your server is under attack from the Linux Terminal with the netstat command




From the man page of netstat “netstat – Print network connections, routing tables, interface statistics, masquerade connections, and multicast memberships”

Some examples with explanation

netstat -na

This display all active Internet connections to the server and only established connections are included.

netstat -an | grep :80 | sort

Show only active Internet connections to the server on port 80, this is the http port and so it’s useful if you have a web server, and sort the results. Useful in detecting a single flood by allowing you to recognize many connections coming from one IP.

netstat -n -p|grep SYN_REC | wc -l

This command is useful to find out how many active SYNC_REC are occurring on the server. The number should be pretty low, preferably less than 5. On DoS attack incidents or mail bombs, the number can jump to pretty high. However, the value always depends on system, so a high value may be average on another server.

netstat -n -p | grep SYN_REC | sort -u

List out the all IP addresses involved instead of just count.

netstat -n -p | grep SYN_REC | awk '{print $5}' | awk -F: '{print $1}'

List all the unique IP addresses of the node that are sending SYN_REC connection status.

netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

Use netstat command to calculate and count the number of connections each IP address makes to the server.

netstat -anp |grep 'tcp|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

List count of number of connections the IPs are connected to the server using TCP or UDP protocol.

netstat -ntu | grep ESTAB | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr

Check on ESTABLISHED connections instead of all connections, and displays the connections count for each IP.

netstat -plan|grep :80|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -nk 1

Show and list IP address and its connection count that connect to port 80 on the server. Port 80 is used mainly by HTTP web page request.

How to mitigate a DOS attack

Once that you have found the IP that are attacking your server you can use the following commands to block their connection to your server:

iptables -A INPUT 1 -s $IPADRESS -j DROP/REJECT

Please note that you have to replace $IPADRESS with the IP numbers that you have found with netstat.
After firing the above command, KILL all httpd connections to clean your system and than restart httpd service by
using the following commands:

killall -KILL httpd
 
service httpd start           #For Red Hat systems 
/etc/init/d/apache2 restart   #For Debian systems


Popular Posts:

Flattr this!

  13 Responses to “How to verify DDOS attack with netstat command on Linux Terminal”

  1. Realy? *Face Palm*

  2. Small typo in your restart command for debian based systems:

    /etc/init/d/apache2 restart #For Debian systems

    Should read:

    /etc/init.d/apache2 restart #For Debian systems

  3. netstat -anp |grep 'tcp|udp'
    on ubuntu needs to be:
    netstat -anp |grep 'tcp\|udp'

  4. Add a null route iinux via bencane.com

    How to add a null route
    In our example we are receiving unwanted SSH login attempts from 192.168.0.195

    root@server:~# netstat -na | grep :22
    tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
    tcp 0 0 192.168.0.197:22 192.168.0.195:57776 ESTABLISHED
    To add the null route we will use the ip command

    root@server:~# ip route add blackhole 192.168.0.195/32
    To verify the route is in place will will use ip route show

    root@server:~# ip route show
    default via 192.168.0.1 dev eth0 metric 100
    blackhole 192.168.0.195

  5. What do I do if it’s a DDoS? How do I stop them from taking down my server? I’m currently under DDoS, and being hit by over a thousand different IPs. My server normally has several hundred IPs connected simultaneously, so how do I tell which are part of the DDoS and which are real?

    • if your
      netstat -ntu | grep ESTAB | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -nr

      show one or more ips with more than 20 connections and if you run the same command; and the same ips have more connections..
      This ips are the ones ataking you ..
      you can use this script:

      wget http://www.inetbase.com/scripts/ddos/install.sh
      chmod 0700 install.sh
      ./install.sh

  6. How decide which ip attacking on server?

  7. netstat -anp |grep ‘tcp|udp’ in centos this command no working, replace grep by egrep.

  8. Iptables doesn’t work well with CloudFlare. Have you try install vDDoS Protection Reverse Proxy from http://vddos.voduy.com/ Layer 7 Filter Mitigate DOS, DDOS, SYN Floods, or HTTP Floods attack?

  9. netstat -anp |egrep ‘tcp|udp’
    tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 2830/cupsd
    tcp 0 0 192.168.1.143:40826 66.196.116.112:443 ESTABLISHED 2587/firefox
    tcp 0 0 192.168.1.143:59992 87.248.118.23:443 ESTABLISHED 2587/firefox
    tcp 0 0 192.168.1.143:52036 63.250.200.41:443 ESTABLISHED 2587/firefox
    tcp 0 0 192.168.1.143:56426 82.196.8.47:80 ESTABLISHED 2587/firefox
    tcp6 0 0 ::1:631 :::* LISTEN 2830/cupsd
    udp 0 0 0.0.0.0:5353 0.0.0.0:* 1495/avahi-daemon:
    udp 0 0 0.0.0.0:42706 0.0.0.0:* 1495/avahi-daemon:
    udp 0 0 0.0.0.0:68 0.0.0.0:* 2405/dhclient
    udp 0 0 127.0.0.1:323 0.0.0.0:* 1560/chronyd
    udp6 0 0 :::5353 :::* 1495/avahi-daemon:
    udp6 0 0 :::40217 :::* 1495/avahi-daemon:
    udp6 0 0 ::1:323 :::* 1560/chronyd

  10. The above code gave me an error. Is this really working?

  11. Hi,

    When I do your command ” netstat -plan|grep :80|awk {‘print $5’}|cut -d: -f 1|sort|uniq -c|sort -nk 1 “, I have :

    ************************
    1 2.152.249.29

    3 90.33.32.1
    3 90.56.121.206
    7 91.179.39.2
    1025
    1 107.167.113.54
    1 109.132.78.156

    2 188.163.86.105
    3 188.7.174.39

    ************************

    Seem to have a problem with “1025” but no ip on the right column.

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(required)

(required)

*