Some useful commands to check during DDOS attack.
NOTE: The netstat command has been superseeded by the ss command.
But if your system is old, and ss does not work, then simply use netstat in place of ss.
ss -alpn | grep :80 | awk '{print $4}' |awk -F: '{print $(NF-1)}' |sort |uniq -c | sort -n
returns:
1 511
netstat -alpn | grep :80 | awk '{print $5}' |awk -F: '{print $(NF-1)}' |sort |uniq -c | sort -n
returns:
1 1 0.0.0.0 1 123.123.123.123 1 234.234.234.234
ss -an|grep ":80"|awk '/tcp/ {print $6}'|sort| uniq -c
returns:
1 [::]:* 1 0.0.0.0:* 1 123.123.123.123:56360
tcpdump -c -n -i eth0 -p host IP_Address
returns:
tcpdump -c 100 -i br0 -p host 192.168.1.2 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on br0, link-type EN10MB (Ethernet), capture size 262144 bytes 12:39:23.239478 IP server1.sharewiz.net.ssh > peter.sharewiz.net.51864: Flags [P.], seq 829605160:829605348, ack 3653010571, win 62780, length 188 12:39:23.239694 IP peter.sharewiz.net.51864 > server1.sharewiz.net.ssh: Flags [.], ack 188, win 65535, length 0 12:39:23.240455 IP server1.sharewiz.net.ssh > peter.sharewiz.net.51864: Flags [P.], seq 188:488, ack 1, win 62780, length 300 12:39:23.240518 IP server1.sharewiz.net.ssh > peter.sharewiz.net.51864: Flags [P.], seq 488:652, ack 1, win 62780, length 164 12:39:23.240572 IP server1.sharewiz.net.ssh > peter.sharewiz.net.51864: Flags [P.], seq 652:816, ack 1, win 62780, length 164 12:39:23.240645 IP server1.sharewiz.net.ssh > peter.sharewiz.net.51864: Flags [P.], seq 816:980, ack 1, win 62780, length 164 12:39:23.240734 IP server1.sharewiz.net.ssh > peter.sharewiz.net.51864: Flags [P.], seq 980:1144, ack 1, win 62780, length 164 12:39:23.240794 IP server1.sharewiz.net.ssh > peter.sharewiz.net.51864: Flags [P.], seq 1144:1308, ack 1, win 62780, length 164 12:39:23.240821 IP peter.sharewiz.net.51864 > server1.sharewiz.net.ssh: Flags [.], ack 488, win 65535, length 0 12:39:23.240845 IP peter.sharewiz.net.51864 > server1.sharewiz.net.ssh: Flags [.], ack 652, win 65535, length 0 12:39:23.240853 IP server1.sharewiz.net.ssh > peter.sharewiz.net.51864: Flags [P.], seq 1308:1472, ack 1, win 62780, length 164 12:39:23.240862 IP peter.sharewiz.net.51864 > server1.sharewiz.net.ssh: Flags [.], ack 816, win 65535, length 0 12:39:23.240870 IP peter.sharewiz.net.51864 > server1.sharewiz.net.ssh: Flags [.], ack 980, win 65535, length 0 12:39:23.240959 IP server1.sharewiz.net.ssh > peter.sharewiz.net.51864: Flags [P.], seq 1472:1732, ack 1, win 62780, length 260 ...
ss -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n|wc -l
returns:
2
NOTE: If the output returns a result like 2000 or 3000 connections!, then it is very likely the server is under a DoS attack.
ss -ntu|awk '{print $5}'|cut -d: -f1 -s|sort|uniq -c|sort -nk1 -r | while IFS= read -r line; do if [[ `echo $line | cut -d' ' -f 2` =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then echo -e "\033[0;31m$line"; else echo -e "\033[0;34m$line"; fi; done
returns:
21 192.168.1.69 4 127.0.0.1 2 [fd42
ss -nap | grep SYN | wc -l
returns:
0
NOTE: If the output returns a high value, say over a thousand, this could mean the server is under attack.
This figure will vary depending on usage of the server. A system may intentionally have many thousand users, so a high value here does not always mean there is an SYN Flooding attack.
ss -nap | grep 'udp' | awk '{print $5}' | cut -d: -f1 | sort |uniq -c |sort -n
returns:
1 0.0.0.0%virbr0 1 127.0.0.1 1 127.0.0.53%lo 2 0.0.0.0 2 172.17.255.255 2 192.168.0.255 2 192.168.123.255 2 192.168.1.255 3 172.17.0.1 3 192.168.0.2 4 192.168.123.1 13 192.168.1.2
NOTE: The above command will list information concerning possible UDP DoS.
The command can easily be accustomed also to check for both possible TCP and UDP denial of service, like so :
ss -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
returns:
1 *
1 0.0.0.0%virbr0
2 127.0.0.53%lo
2 172.17.255.255
2 192.168.0.255
2 192.168.123.255
2 192.168.1.255
4 172.17.0.1
4 192.168.0.2
5 [
5 192.168.123.1
9 127.0.0.1
12 0.0.0.0
23 192.168.1.2
NOTE: If a specific IP has too many connections to the server; it is almost certainly a DoS host; so suggestion is to filter this IP.
ip route add blackhole 123.123.123.123.
or
route add 123.123.123.123 reject
The above command would null route the access of IP 123.123.123.123 to my server.
To check the routing for this IP is null:
ip route |grep -i 123.123.123.123
1. tcpdump -i igb1 -nnn -c 10 dst port 80 host
This is for freebsd cmd where “igb1” is the netwok interface name
2. time tcpdump -i igb1 -nnn -c 1000 dst port 80 host 192.168.0.5 | tail
3. tail -1000 /var/log/nginx/access.log | awk '{print $1}' | sort | uniq -c | sort -b -k1 -n | tail
4. netstat -n | awk '{ print $5 }' | cut -d “:” -f 1 | grep “[1-9]” | sort | uniq -c | sort -n
5. awk '{print $5}' /proc/net/ip_conntrack|sort |uniq -c |sort -rn |head -25 | column -t
6. netstat -nt | grep :80 | wc -l
7. tcpdump -A dst 192.168.1.14 -s 500 | grep -i refer
8. tcpdump -i eth0 -vvv -nn -s 1700 -w ddos
tcpdump -nn -vv -r ddos | awk '{print $18}' | awk -F\. '{print $1“.”$2“.”$3“.”$4}' | sort | uniq -c | sort -rn | head -25
9. /usr/local/apache/bin/apachectl fullstatus