Table of Contents
Ubuntu - Networking - Finding DDOS attacks
Some useful commands to check during DDOS attack.
NOTE: The netstat command has been superseeded by the ss command.
But if your system is old, and ss does not work, then simply use netstat in place of ss.
List the connections to the target IPs
ss -alpn | grep :80 | awk '{print $4}' |awk -F: '{print $(NF-1)}' |sort |uniq -c | sort -n
returns:
1 511
List connections from source IPs
netstat -alpn | grep :80 | awk '{print $5}' |awk -F: '{print $(NF-1)}' |sort |uniq -c | sort -n
returns:
1 1 0.0.0.0 1 123.123.123.123 1 234.234.234.234
See the state of each connection
ss -an|grep ":80"|awk '/tcp/ {print $6}'|sort| uniq -c
returns:
1 [::]:* 1 0.0.0.0:* 1 123.123.123.123:56360
Identify the attacker
tcpdump -c -n -i eth0 -p host IP_Address
returns:
tcpdump -c 100 -i br0 -p host 192.168.1.2 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on br0, link-type EN10MB (Ethernet), capture size 262144 bytes 12:39:23.239478 IP server1.sharewiz.net.ssh > peter.sharewiz.net.51864: Flags [P.], seq 829605160:829605348, ack 3653010571, win 62780, length 188 12:39:23.239694 IP peter.sharewiz.net.51864 > server1.sharewiz.net.ssh: Flags [.], ack 188, win 65535, length 0 12:39:23.240455 IP server1.sharewiz.net.ssh > peter.sharewiz.net.51864: Flags [P.], seq 188:488, ack 1, win 62780, length 300 12:39:23.240518 IP server1.sharewiz.net.ssh > peter.sharewiz.net.51864: Flags [P.], seq 488:652, ack 1, win 62780, length 164 12:39:23.240572 IP server1.sharewiz.net.ssh > peter.sharewiz.net.51864: Flags [P.], seq 652:816, ack 1, win 62780, length 164 12:39:23.240645 IP server1.sharewiz.net.ssh > peter.sharewiz.net.51864: Flags [P.], seq 816:980, ack 1, win 62780, length 164 12:39:23.240734 IP server1.sharewiz.net.ssh > peter.sharewiz.net.51864: Flags [P.], seq 980:1144, ack 1, win 62780, length 164 12:39:23.240794 IP server1.sharewiz.net.ssh > peter.sharewiz.net.51864: Flags [P.], seq 1144:1308, ack 1, win 62780, length 164 12:39:23.240821 IP peter.sharewiz.net.51864 > server1.sharewiz.net.ssh: Flags [.], ack 488, win 65535, length 0 12:39:23.240845 IP peter.sharewiz.net.51864 > server1.sharewiz.net.ssh: Flags [.], ack 652, win 65535, length 0 12:39:23.240853 IP server1.sharewiz.net.ssh > peter.sharewiz.net.51864: Flags [P.], seq 1308:1472, ack 1, win 62780, length 164 12:39:23.240862 IP peter.sharewiz.net.51864 > server1.sharewiz.net.ssh: Flags [.], ack 816, win 65535, length 0 12:39:23.240870 IP peter.sharewiz.net.51864 > server1.sharewiz.net.ssh: Flags [.], ack 980, win 65535, length 0 12:39:23.240959 IP server1.sharewiz.net.ssh > peter.sharewiz.net.51864: Flags [P.], seq 1472:1732, ack 1, win 62780, length 260 ...
Check if a server is under a DoS attack
ss -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n|wc -l
returns:
2
NOTE: If the output returns a result like 2000 or 3000 connections!, then it is very likely the server is under a DoS attack.
Colourful Output
ss -ntu|awk '{print $5}'|cut -d: -f1 -s|sort|uniq -c|sort -nk1 -r | while IFS= read -r line; do if [[ `echo $line | cut -d' ' -f 2` =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then echo -e "\033[0;31m$line"; else echo -e "\033[0;34m$line"; fi; done
returns:
21 192.168.1.69 4 127.0.0.1 2 [fd42
Detect a SYN flood
ss -nap | grep SYN | wc -l
returns:
0
NOTE: If the output returns a high value, say over a thousand, this could mean the server is under attack.
This figure will vary depending on usage of the server. A system may intentionally have many thousand users, so a high value here does not always mean there is an SYN Flooding attack.
Check for a UDP Denial of Service
ss -nap | grep 'udp' | awk '{print $5}' | cut -d: -f1 | sort |uniq -c |sort -n
returns:
1 0.0.0.0%virbr0 1 127.0.0.1 1 127.0.0.53%lo 2 0.0.0.0 2 172.17.255.255 2 192.168.0.255 2 192.168.123.255 2 192.168.1.255 3 172.17.0.1 3 192.168.0.2 4 192.168.123.1 13 192.168.1.2
NOTE: The above command will list information concerning possible UDP DoS.
The command can easily be accustomed also to check for both possible TCP and UDP denial of service, like so :
ss -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
returns:
1 *
1 0.0.0.0%virbr0
2 127.0.0.53%lo
2 172.17.255.255
2 192.168.0.255
2 192.168.123.255
2 192.168.1.255
4 172.17.0.1
4 192.168.0.2
5 [
5 192.168.123.1
9 127.0.0.1
12 0.0.0.0
23 192.168.1.2
NOTE: If a specific IP has too many connections to the server; it is almost certainly a DoS host; so suggestion is to filter this IP.
Remove hosts to not be able to route packets to the server
ip route add blackhole 123.123.123.123.
or
route add 123.123.123.123 reject
The above command would null route the access of IP 123.123.123.123 to my server.
To check the routing for this IP is null:
ip route |grep -i 123.123.123.123
Useful commands
1. tcpdump -i igb1 -nnn -c 10 dst port 80 host
This is for freebsd cmd where “igb1” is the netwok interface name
2. time tcpdump -i igb1 -nnn -c 1000 dst port 80 host 192.168.0.5 | tail
3. tail -1000 /var/log/nginx/access.log | awk '{print $1}' | sort | uniq -c | sort -b -k1 -n | tail
4. netstat -n | awk '{ print $5 }' | cut -d “:” -f 1 | grep “[1-9]” | sort | uniq -c | sort -n
5. awk '{print $5}' /proc/net/ip_conntrack|sort |uniq -c |sort -rn |head -25 | column -t
6. netstat -nt | grep :80 | wc -l
7. tcpdump -A dst 192.168.1.14 -s 500 | grep -i refer
8. tcpdump -i eth0 -vvv -nn -s 1700 -w ddos
tcpdump -nn -vv -r ddos | awk '{print $18}' | awk -F\. '{print $1“.”$2“.”$3“.”$4}' | sort | uniq -c | sort -rn | head -25
9. /usr/local/apache/bin/apachectl fullstatus