Denial of Service (DoS) attack can be described as an action that prevents legitimate users from accessing and using a certain service. It includes flooding the network, losing connection to the service… but the ultimate goal is that the server (Server) cannot meet the requests to use the service from the workstations (Client).
| Join the channel Telegram of the AnonyViet π Link π |
Today I would like to share some commands to check the Server when under DDOS attack:
β Count the number of connections to Port 80:
netstat -n | grep :80 |wc -l
β Check the number of connections in the SYN_RECV state:
netstat -n | grep :80 | grep SYN_RECV|wc -l
β Show all connected IPs and the number of connections from each IP:
netstat -an|grep :80 |awk '{print $5}'|cut -d":" -f1|sort|uniq -c|sort -rn
β If you want to check which IP opens many SYNs, add:
netstat -an|grep :80|grep SYN |awk '{print $5}'|cut -d":" -f1|sort|uniq -c|sort -rn
β For servers with multiple IPs, to check which IP is being attacked:
netstat -plan | grep :80 | awk '{print $4}'| cut -d: -f1 |sort |uniq -c
β Show all connected IPs and the number of connections from each IP:
netstat -an | grep ':80' | awk '{print $5}' | sed s/'::ffff:'// | cut -d":" -f1 | sort | uniq -c
β Displays the number of connections per type
netstat -an | grep :80 | awk '{print $6}' | sort | uniq -c
61 ESTABLISHED 13 FIN_WAIT1 17 FIN_WAIT2 1 LISTEN 25 SYN_RECV 298 TIME_WAIT
β Displays all connected IPs and the number of connections from each IP
watch "netstat -an | grep ':80' | awk '{print $5}' | sed s/'::ffff:'// | cut -d":" -f1 | sort | uniq -c"
watch "netstat -an | grep :80 | awk '{print $6}' | sort | uniq -c"
Once you have detected an IP with unusual signs, you can use CSF to block that IP.
![Summary of famous hacker groups in the world [PhαΊ§n 1]](https://anonyviet.com/wp-content/uploads/2020/08/hacker-Anonymous-.jpg "Summary of famous hacker groups in the world [PhαΊ§n 1]")
