Usage netstat to determine DoS/ddos attack

1
(1)

Displays the number of connections for each IP address in the ESTABLISHED state

# netstat -naltp | grep ESTABLISHED | awk '{print $5}' | awk -F: '{print $1}' | sort -n | uniq -c

or

# netstat -nalpt | grep ESTABLISHED  | awk '{print $5}' | cut -d: -f1| sort | uniq -c | sort -rn

Display all active Internet connections on port 80 of the server and sorting them
Useful for detecting a large number of requests from a single IP address (DoS)

# netstat -na | grep :80 | sort

Counting the number of connections from each IP address to the 80-port of the server.

# netstat -npla | grep :80 | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -rn

The determination of the number of connection requests was received from the network.
The number should be fairly low (less than 5). During a DoS / DDoS attack, such a number can have a high value. However, the value always depends on the system (a high value on one server can be average on another)

# netstat -np | grep SYN_RECV | wc -l

List of all IP addresses from which connections with the status SYN_RECV come

# netstat -np | grep SYN_RECV | awk '{print $5}' | awk -F: '{print $1}'

Counting the number of connections from each IP address

# netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -rn

Counting the number of connections from each IP address using TCP or UDP.

# netstat -nap | grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1| sort | uniq -c | sort -rn

Similar Posts:

1,921

How useful was this post?

Click on a star to rate it!

Average rating 1 / 5. Vote count: 1

No votes so far! Be the first to rate this post.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top