Usage netstat to determine DoS/ddos attack

0
(0)

Displays the number of connections for each IP address in the ESTABLISHED state

# netstat -naltp | grep ESTABLISHED | awk '{print $5}' | awk -F: '{print $1}' | sort -n | uniq -c

or

# netstat -nalpt | grep ESTABLISHED  | awk '{print $5}' | cut -d: -f1| sort | uniq -c | sort -rn

Display all active Internet connections on port 80 of the server and sorting them
Useful for detecting a large number of requests from a single IP address (DoS)

# netstat -na | grep :80 | sort

Counting the number of connections from each IP address to the 80-port of the server.

# netstat -npla | grep :80 | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -rn

The determination of the number of connection requests was received from the network.
The number should be fairly low (less than 5). During a DoS / DDoS attack, such a number can have a high value. However, the value always depends on the system (a high value on one server can be average on another)

# netstat -np | grep SYN_RECV | wc -l

List of all IP addresses from which connections with the status SYN_RECV come

# netstat -np | grep SYN_RECV | awk '{print $5}' | awk -F: '{print $1}'

Counting the number of connections from each IP address

# netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -rn

Counting the number of connections from each IP address using TCP or UDP.

# netstat -nap | grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1| sort | uniq -c | sort -rn

427

How useful was this post?

Click on a star to rate it!

Average rating 0 / 5. Vote count: 0

No votes so far! Be the first to rate this post.

Scroll to Top