Upload
chinku85
View
214
Download
0
Embed Size (px)
Citation preview
7/27/2019 Are You Under a DoS or DDoS Attack _ Find Out With Netstat !
1/4
BlogClients
Home
Services
Support
Contact
About
You are here: Home/ Blog/ Security/ Are you under a DoS or DDoS attack ? Find out with netstat !
Are you under a DoS or DDoS attack ? Find out
with netstat !
28 Nov 2011/4 Comments/in Security/by Admin
Your server appearing pretty slow could be many things from wrong configs, scripts and dodgy hardware but sometimes it could be because someone is flooding your server with traffic known as DoS ( Denial ofService ) or DDoS ( Distributed Denial of Service ) it could also be that your server itself is part of a
botnet and is being used to attack other networks, in this case its always a good idea to run scans withsoftware such as ClamAV and RootKit Hunter as a precaution or even higher a professional to check it outfor you if your not confident enough to do it on your own.
Furthermore whenever a client connects to a server via network, a connection is established and openedon the system. On a busy high load server, the number of connections connected to the server can be runinto large amount till hundreds if not thousands. Find out and get a list of connections on the server byeach node, client or IP address is useful for system scaling planning, and in most cases, detect anddetermine whether a web server is under DoS or DDoS attack
Take a look at these handy netstat commands below that will surely help you determine wether your underattack or are part of an attack.
net st at - na
Display all active Internet connections to the server and only established connections are included.
net st at - an | gr ep : 80 | sor t
Show only active Internet connections to the server on port 80 and sort the results. Useful in detecting asingle flood by allowing you to recognize many connections coming from one IP.
netst at - n - p| gr ep SYN_REC | wc - l
you under a DoS or DDoS attack ? Find out with netstat !
4
7/27/2019 Are You Under a DoS or DDoS Attack _ Find Out With Netstat !
2/4
To find out how many active SYNC_REC are occurring on the server. The number should be pretty low,preferably less than 5. On DoS attack incidents or mail bombs, the number can jump to pretty high.However, the value always depends on system, so a high value may be average on another server.
net st at - n - p | gr ep SYN_REC | sor t - u
List all IP addresses involved.
net st at - n - p | gr ep SYN_REC | awk ' {pr i nt $5}' | awk - F: ' {pr i nt $1}'
List all the unique IP addresses of the nodes that are sending SYN_REC connection status.
net st at - nt u | awk ' {pri nt $5}' | cut - d: - f 1 | sort | uni q - c | sort - n
Use netstat command to calculate and count the number of connections each IP address makes to theserver.
net st at - anp | grep ' t cp\ | udp' | awk ' {pri nt $5}' | cut - d: - f 1 | sort | uni q - c | sort
List the number of connections the IPs are making to the server using TCP or UDP protocol.
net st at - nt u | gr ep ESTAB | awk ' {pr i nt $5}' | cut - d: - f 1 | sor t | uni q - c | sor t - nr
Check on ESTABLISHED connections instead of all connections, and display the number of connectionsfor each IP.
net st at - pl an| gr ep : 80| awk {' pr i nt $5' }| cut - d: - f 1| sor t | uni q - c| sor t - nk 1
Show a list IP addresss and its number of connections that are connecting to port 80 on the server. Port80 is used mainly by the HTTP protocol.
Tags:DDoS, DoS,Netstat
4 replies
mkhudasays:May 7, 2013 at 3:17 PM
my website is run very slowly at sometimes. .i think its ddos or maybe server maintenance. .
Reply
1.
thoklingsays:November 18, 2013 at 7:49 AM
If your Website is running slow and you have shell access, run top. The first line contains theload average of the system: each 1.00 means a full CPU worth of processing power is being used.
If that appears untoward, then the regularly-updating list of processes underneath the highlightedbar can help. %CPU is the important field: 100% means its using a full CPU worth of processingpower. If any process is hogging the CPU for an undesired amount of time, research ways to reducethe CPU footprint of that process. Either its not configured properly, it needs to be replaced, or the
2.
you under a DoS or DDoS attack ? Find out with netstat !
4
7/27/2019 Are You Under a DoS or DDoS Attack _ Find Out With Netstat !
3/4
VM sharing system of the host is not that efficient.
Reply
Anonsays:
November 22, 2013 at 4:14 AM
Most of these do not work on my machine. Running Windows 7 Ultimate.
Reply
3.
Hasan Demirsays:January 8, 2014 at 1:40 PM
I needed it
Reply
4.
Leave a Reply
Want to join the discussion?Feel free to contribute!
Leave a Reply
Your email address will not be published. Required fields are marked *
Name *
Email *
Website
Comment
You may use these HTML tags and attributes:
SECURITY
you under a DoS or DDoS attack ? Find out with netstat !
4
7/27/2019 Are You Under a DoS or DDoS Attack _ Find Out With Netstat !
4/4
BUSINESS HOURS
Our support desk is available 24 hours a day but replies on weekends may take longer than normal - youcan also contact us on the following number during business hours: 0141 416 7912
Monday-Friday: 24 HoursSaturday: 8am to 2pmSunday:Limited
SafeSrv.net
We strive to provide the best services by focusing on support, security and reliability. You need not pay ahigh amount for premium support or services, we supply all the tools and services that you require to runyour business safely, smoothly and efficiently.
TwitterFollowersSubscribeto RSS FeedCopyright 2013 SafeSrv.net | All Rights Reserved
Terms and ConditionsAUPPrivacy Policy
VPN Service
Adding reCaptcha To a Contact Form Page on WordPress How do i block PHP shells from runningon my server ?
you under a DoS or DDoS attack ? Find out with netstat !
4