Finding and preventing the DDOS attacks - General Discussion

General Category > General Discussion

Finding and preventing the DDOS attacks

(1/1)

nidhinjo:
Below are some of the useful netstat commands to check during DDOS attack,
----------------------------------------------------------------------------------------------------------
To list the connections to the target IPs (server's IP's) use the below command :

--- Code: ---netstat -alpn | grep :80 | awk '{print $4}' |awk -F: '{print $(NF-1)}' |sort |uniq -c | sort -n
--- End code ---

To list the connections from source IP's use the below command:

--- Code: ---netstat -alpn | grep :80 | awk '{print $5}' |awk -F: '{print $(NF-1)}' |sort |uniq -c | sort -n
--- End code ---

To see the state of each connection and the value use the below command:

--- Code: ---netstat -an|grep ":80"|awk '/tcp/ {print $6}'|sort| uniq -c
--- End code ---

You can use tcpdump to identify the attacker too:

--- Code: ---tcpdump -c -n -i eth"x" -p host IP_Address
--- End code ---

where x can be 0 or 1,n=number(100 or 1000). If it is a VPS, it can be venet0 too. Check the Output of ifconfig.

To check if a server is under a DoS attack with netstat, it’s common to use:

--- Code: ---netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n|wc -l
--- End code ---

If the output of below command returns a result like 2000 or 3000 connections!, then obviously it’s very likely the server is under a DoS attack.

To detect a SYN flood with netstat :

--- Code: ---netstat -nap | grep SYN | wc -l
--- End code ---

If the output returns a value of 1032,1032 SYNs per second is quite a high number and except if the server is not serving let’s say 5000 user requests per second, therefore as the above output reveals it’s very likely the server is under attack, if however I get results like 100/200 SYNs, then obviously there is no SYN flood targetting

Checking if UDP Denial of Service is targetting the server :

--- Code: ---netstat -nap | grep 'udp' | awk '{print $5}' | cut -d: -f1 | sort |uniq -c |sort -n
--- End code ---

The above command will list information concerning possible UDP DoS.

The command can easily be accustomed also to check for both possible TCP and UDP denial of service, like so :

--- Code: ---netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
--- End code ---

You can see the output as :

335 212.56.156.36
456 96.56.89.223
1565 198.141.85.45

If after getting an IP that has too many connections to the server and is almost certainly a DoS host you would like to filter this IP.

Here is how I remove hosts to not be able to route packets to my server:

--- Code: ---route add 198.141.85.45 reject
--- End code ---

The above command would null route the access of IP 198.141.85.45 to my server.

Later on to look up for a null routed IP to my host, I use:

--- Code: ---route -n |grep -i 198.141.85.45
--- End code ---

Block the IPs with high connection above using CSF or APF firewall :

--- Code: ---csf -d IP {reason}

apf -d IP
--- End code ---

============================== :) ===================================

Navigation

[0] Message Index

Go to full version