check ddos attack
netstat -anp|grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort –n
This command will show you the list of IP's which have logged in is maximum number of connections to your server.
ddos becomes more complex as attackers use fewer connections with more number of attacking IP's.In such cases, you should get less number of connections even when your server is under ddos.One important thing that you should check is the number of active connections that your server currently has by executing below command:
netstat -n | grep :80 |wc –l
netstat -n | grep :80 | grep SYN |wc –l
Result of active connections from the first command will vary but if it shows connections more than 500, then you will be definitely having problems. If the result after you fire second command is 100 or above then you are having problems with sync attack.
This command is useful to find out how many active SYNC_REC are occurring on the server. The number should be pretty low, preferably less than 5. On DoS attack incidents or mail bombs, the number can jump to pretty high. However, the value always depends on system, so a high value may be average on another server.
netstat -n -p|grep SYN_REC | wc -l
netstat -n -p | grep SYN_REC | sort -u
Once you find the ip attacking your server, you can easily block it.Fire the following command to block that ip or any other specific ip:
check ip blocked or not by using the following command:
route -n |grep IPaddress
You can also block a IP with iptables on the server by using the following command.
iptables -A INPUT 1 -s IPADRESS -j DROP/REJECT
service iptables restart
service iptables save
After firing the above command, KILL all httpd connection and than restart httpd service by
using following command:
killall -KILL httpd
service httpd startssl
0 comments:
Post a Comment