How to check DDoS attack?

HostSailor

Member
Registered
Joined
May 16, 2014
Messages
20
Points
1

A denial-of-service attack (DoS attack) or Distributed Denial-of-service attack (DDoS attack) is an attempt to make a server or network resource unavailable to its users. This attack generally targets sites or services hosted on web servers. DoS attacks are implemented by either forcing the targeted computer to reset or consuming its resources so that it can no longer provide its services or obstructing the communication media between the users and the victim so that they can no longer communicate adequately.
The best command to detect the DoS attack is 'netstat' and we have plenty of options available to check the details of the attack.​
Some examples are provided below with the example commands:

netstat -na
This display all active Internet connections to the server and only established connections are included.
netstat -an | grep :80 | sort

Show only active Internet connections to the server on port 80, this is the HTTP port and so it’s useful if you have a web server, and sort the results. Useful in detecting a single flood by allowing you to recognize many connections coming from one IP.
netstat -n -p|grep SYN_REC | wc -l

This command is useful to find out how many active SYNC_REC are occurring on the server. The number should be pretty low, preferably less than 5. On DoS attack incidents or mail bombs, the number can jump to pretty high. However, the value always depends on the system, so a high value may be average on another server.
netstat -n -p | grep SYN_REC | sort -u

List out the all IP addresses involved instead of just count.
netstat -n -p | grep SYN_REC | awk '{print $5}' | awk -F: '{print $1}'

List all the unique IP addresses of the node that are sending SYN_REC connection status.
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

Use netstat command to calculate and count the number of connections each IP address makes to the server.
netstat -anp |grep 'tcp|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

List count of number of connections the IPs are connected to the server using TCP or UDP protocol.
netstat -ntu | grep ESTAB | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr

Check on ESTABLISHED connections instead of all connections, and displays the connections count for each IP.
netstat -plan|grep :80|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -nk 1

Show and list IP address and its connection count that connect to port 80 on the server. Port 80 is used mainly by HTTP web page request.
How to mitigate a DOS attack
Once that you have found the IP's that are attacking your server you can try using the following commands to block their connection to your server:
iptables -A INPUT 1 -s $IPADRESS -j DROP/REJECT

Please note that you have to replace $IPADRESS with the IP numbers that you have found with netstat. If the attack is from different ranges of IPs and if it is in a huge volume, you might need to get help from the support team in order to get it fixed.
 

harry_v

Well-known member
Registered
Hosting Provider
Joined
Dec 20, 2017
Messages
110
Points
18
If you're feeling the heat from a DDoS attack, you can take some simple steps to determine if your site is under siege.

1. Check your load times. If they are increasing or decreasing abnormally, that's a sign that your site is being hit with a distributed denial-of-service (DDoS) attack.

2. Use WebPageTest to measure the response time of specific URLs on your site. You may have a problem if they take longer than 10 seconds to load.

3. Online attack detectors like the ones offered by Akamai and CloudFlare to see if your site is registered on any known blacklists.
 

quadcloud

New member
Registered
Joined
Aug 22, 2022
Messages
10
Points
1
A DDoS attack comes from many sources and it's a heck of a lot easier to block connections using an Address List. Using a router/firewall infront of your public ip address allows you to add lists of known attackers. You can add rules for Synflods and other known attacks. This lowers your surface area to atacks.
Thats why you should use a vps or server with DDOS protection inplace via provider of cloud
 
Latest Threads
Replies
0
Views
122
Replies
1
Views
77

Latest Hosting OffersNew Reviews

Sponsors

Tag Cloud

You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.

Top