Some commands to check the Server when under DDOS attack

Denial of Service (DoS) attack can be described as an action that prevents legitimate users from accessing and using a certain service. It includes flooding the network, losing connection to the service… but the ultimate goal is that the server (Server) cannot meet the requests to use the service from the workstations (Client).

Today I would like to share some commands to check the Server when under DDOS attack:

– Count the number of connections to Port 80:

netstat -n | grep :80 |wc -l

– Check the number of connections in the SYN_RECV state:

netstat -n | grep :80 | grep SYN_RECV|wc -l

– Show all connected IPs and the number of connections from each IP:

netstat -an|grep :80 |awk '{print $5}'|cut -d":" -f1|sort|uniq -c|sort -rn

– If you want to check which IP opens many SYNs, add:

netstat -an|grep :80|grep SYN |awk '{print $5}'|cut -d":" -f1|sort|uniq -c|sort -rn

– For servers with multiple IPs, to check which IP is being attacked:

netstat -plan | grep :80 | awk '{print $4}'| cut -d: -f1 |sort |uniq -c

– Show all connected IPs and the number of connections from each IP:

netstat -an | grep ':80' | awk '{print $5}' | sed s/'::ffff:'// | cut -d":" -f1 | sort | uniq -c

– Displays the number of connections per type

netstat -an | grep :80 | awk '{print $6}' | sort | uniq -c

61 ESTABLISHED
 13 FIN_WAIT1
 17 FIN_WAIT2
 1 LISTEN
 25 SYN_RECV
 298 TIME_WAIT

– Displays all connected IPs and the number of connections from each IP

watch "netstat -an | grep ':80' | awk '{print $5}' | sed s/'::ffff:'// | cut -d":" -f1 | sort | uniq -c"

watch "netstat -an | grep :80 | awk '{print $6}' | sort | uniq -c"

Once you have detected an IP with unusual signs, you can use CSF to block that IP.