如何在Linux上使用netstat命令查證DDOS***

How to verify DDOS attack with netstat command on Linux Terminal

Your server appearing pretty slow could be many things from wrong configs, scripts and dodgy hardware – but sometimes it could be because someone is flooding your server with traffic known as DoS ( Denial of Service ) or DDoS ( Distributed Denial of Service ).

Denial-of-service attack (DoS attack) or Distributed Denial-of-service attack (DDoS attack) is an attempt to make a machine or network resource unavailable to its intended users. This attack generally target sites or services hosted on high-profile web servers such as banks, credit card payment gateways, and even root nameservers. DoS attacks are implemented by either forcing the targeted computer to reset, or consuming its resources so that it can no longer provide its services or obstructs the communication media between the users and the victim so that they can no longer communicate adequately.

In this small article you’ll see how to check if your server is under attack from the Linux Terminal with the netstat command

From the man page of netstat “netstat – Print network connections, routing tables, interface statistics, masquerade connections, and multicast memberships”

Some examples with explanation

netstat -na

This display all active Internet connections to the server and only established connections are included.

netstat -an | grep :80 | sort

Show only active Internet connections to the server on port 80, this is the http port and so it’s useful if you have a web server, and sort the results. Useful in detecting a single flood by allowing you to recognize many connections coming from one IP.

netstat -n -p|grep SYN_REC | wc -l

This command is useful to find out how many active SYNC_REC are occurring on the server. The number should be pretty low, preferably less than 5. On DoS attack incidents or mail bombs, the number can jump to pretty high. However, the value always depends on system, so a high value may be average on another server.

netstat -n -p | grep SYN_REC | sort -u

List out the all IP addresses involved instead of just count.

netstat -n -p | grep SYN_REC | awk '{print $5}' | awk -F: '{print $1}'

List all the unique IP addresses of the node that are sending SYN_REC connection status.

netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

Use netstat command to calculate and count the number of connections each IP address makes to the server.

netstat -anp |grep 'tcp|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

List count of number of connections the IPs are connected to the server using TCP or UDP protocol.

netstat -ntu | grep ESTAB | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr

Check on ESTABLISHED connections instead of all connections, and displays the connections count for each IP.

netstat -plan|grep :80|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -nk 1

Show and list IP address and its connection count that connect to port 80 on the server. Port 80 is used mainly by HTTP web page request.

How to mitigate a DOS attack

Once that you have found the IP that are attacking your server you can use the following commands to block their connection to your server:

iptables -A INPUT 1 -s $IPADRESS -j DROP/REJECT

Please note that you have to replace $IPADRESS with the IP numbers that you have found with netstat.
After firing the above command, KILL all httpd connections to clean your system and than restart httpd service by
using the following commands:

killall -KILL httpd
 
service httpd start           #For Red Hat systems /etc/init/d/apache2 restart   #For Debian systems

—————————————————————————————       如何在Linux上使用netstat命令查證DDOS***

服務器出現緩慢的狀況可能由很多事情導致，比如錯誤的配置，腳本和差的硬件。但是有時候它可能因爲有人對你的服務器用DOS或者DDOS進行洪水***。

DOS***或者DDOS***是試圖讓機器或者網絡資源不可用的***。這種***的***目標網站或者服務通常是託管在高防服務器比如銀行，信用卡支付網管，甚至根域名服務器，DOS***的實施通常迫使目標重啓計算機或者消耗資源，使他們不再提供服務或者妨礙用戶，訪客訪問。

在這篇小文章中，你可以知道在受到***之後如何在終端中使用netstat命令檢查你的服務器。

一些例子和解釋

netstat -na顯示所有連接到服務器的活躍的網絡連接netstat -an | grep :80 | sort只顯示連接到80段口的活躍的網絡連接,80是http端口,這對於web服務器非常有用,並且對結果排序.對於你從許多的連接中找出單個發動洪水***IP非常有用netstat -n -p|grep SYN_REC | wc -l這個命令對於在服務器上找出活躍的SYNC_REC非常有用,數量應該很低,最好少於5.在dos***和郵件炸彈,這個數字可能非常高.然而值通常依賴於系統,所以高的值可能平分給另外的服務器.netstat -n -p | grep SYN_REC | sort -u列出所有包含的IP地址而不僅僅是計數.netstat -n -p | grep SYN_REC | awk '{print $5}' | awk -F: '{print $1}'列出所有不同的IP地址節點發送SYN_REC的連接狀態netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n使用netstat命令來計算每個IP地址對服務器的連接數量netstat -anp |grep 'tcp|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n列出使用tcp和udp連接到服務器的數目netstat -ntu | grep ESTAB | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr檢查ESTABLISHED連接而不是所有連接,這可以每個ip的連接數netstat -plan|grep :80|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -nk 1顯示並且列出連接到80端口IP地址和連接數.80被用來作爲HTTP

如何緩解DDOS***

當你發現***你服務器的IP你可以使用下面的命令來關閉他們的連接：

iptables -A INPUT 1 -s $IPADRESS -j DROP/REJECT

請注意你必須用你使用netstat命令找到的IP數替換$IPADRESS 
在完成以上的命令，使用下面的命令殺掉所有httpd連接，清除你的系統，然後重啓httpd服務。

killall -KILL httpd service httpd start           #For Red Hat systems /etc/init/d/apache2 restart   #For Debian systems