Try to detect a DOS attack

Try to detect a DOS attack

Posted By: pmietlicki

Published to Linux on Jun 04, 2015

Connect as root to the server then :

netstat -anp |grep ‘tcp\|udp’ | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort –n

You need to see number of active connections :

netstat -n | grep :80 |wc –l

If you have a lot of connections (more than 500 but depends of the company), it's a bad sign. Try :

netstat -n | grep :80 | grep SYN |wc –l 

If this command show a big result (more than 100 but, again, it depends) then you could be under a SYN attack.

Try to identify the IP address causing this and block it :

route add ipaddress reject

Or :

iptables -A INPUT 1 -s IPADRESS -j DROP/REJECT
service iptables restart
service iptables save

Restart the server (this command depends of your linux distrib) :

service httpd restart

It may not change anything because, generally,

Well, it may not change much because attackers typically use botnets and therefore different IP. In this case, try to remove access to certain countries.

Other useful commands :

http://www.commandlinefu.com/commands/using/netstat

Source :

https://kb.hivelocity.net/how-to-check-if-your-linux-server-is-under-ddos-attack/

See apache "footprint" :

https://raw.github.com/pixelb/ps_mem/master/ps_mem.py

Tags: Apache, DOS

Archive