Tuesday, March 19, 2013

Finding DDOS attacks

Finding DDOS attacks

Below are some of the useful netstat commands to check during DDOS attack.

To list the connections to the target IPs (server's IP's) use the below command : 

netstat -alpn | grep :80 | awk '{print $4}' |awk -F: '{print $(NF-1)}' |sort |uniq -c | sort -n

To list the connections from source IP's use the below command:

netstat -alpn | grep :80 | awk '{print $5}' |awk -F: '{print $(NF-1)}' |sort |uniq -c | sort -n

To see the state of each connection and the value use the below command:

netstat -an|grep ":80"|awk '/tcp/ {print $6}'|sort| uniq -c

You can use tcpdump to identify the attacker too:

tcpdump -c -n -i eth"x" -p host IP_Address

where x can be 0 or 1,n=number(100 or 1000). If it is a VPS, it can be venet0 too. Check the Output of ifconfig.

To check if a server is under a DoS attack with netstat, it’s common to use:

netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n|wc -l

If the output of below command returns a result like 2000 or 3000 connections!, then obviously it’s very likely the server is under a DoS attack.

To detect a SYN flood with netstat :

netstat -nap | grep SYN | wc -l

If the output returns a value of 1032,1032 SYNs per second is quite a high number and except if the server is not serving let’s say 5000 user requests per second, therefore as the above output reveals it’s very likely the server is under attack, if however I get results like 100/200 SYNs, then obviously there is no SYN flood targetting

Checking if UDP Denial of Service is targetting the server :

netstat -nap | grep 'udp' | awk '{print $5}' | cut -d: -f1 | sort |uniq -c |sort -n

The above command will list information concerning possible UDP DoS.

The command can easily be accustomed also to check for both possible TCP and UDP denial of service, like so :

netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

You can see the output as :


If after getting an IP that has too many connections to the server and is almost certainly a DoS host you would like to filter this IP.

Here is how I remove hosts to not be able to route packets to my server:

route add reject

The above command would null route the access of IP to my server.

Later on to look up for a null routed IP to my host, I use:

route -n |grep -i

Block the IPs with high connection above using CSF or APF firewall :

csf -d IP {reason}

apf -d IP

No comments:

Post a Comment