Are you under a DoS or DDoS attack ? Find out with netstat !

Blog Clients

You are here: Home / Blog / Security / Are you under a DoS or DDoS attack ? Find out with netstat !

Are you under a DoS or DDoS attack ? Find out Home with netstat !
Services 28 Nov 2011/4 Comments/in Security /by Admin Your server appearing pretty slow could be many things from wrong configs, scripts and dodgy hardware Support but sometimes it could be because someone is flooding your server with traffic known as DoS ( Denial of Service ) or DDoS ( Distributed Denial of Service ) it could also be that your server itself is part of a botnetContact and is being used to attack other networks, in this case its always a good idea to run scans with software such as ClamAV and RootKit Hunter as a precaution or even higher a professional to check it out for you if your not confident enough to do it on your own. About Furthermore whenever a client connects to a server via network, a connection is established and opened on the system. On a busy high load server, the number of connections connected to the server can be run into large amount till hundreds if not thousands. Find out and get a list of connections on the server by each node, client or IP address is useful for system scaling planning, and in most cases, detect and determine whether a web server is under DoS or DDoS attack

Take a look at these handy netstat commands below that will surely help you determine wether your under attack or are part of an attack.
netstat -na

Display all active Internet connections to the server and only established connections are included.
netstat -an | grep :80 | sort

Show only active Internet connections to the server on port 80 and sort the results. Useful in detecting a single flood by allowing you to recognize many connections coming from one IP.
netstat -n -p|grep SYN_REC | wc -l

1 of 4

Are you under a DoS or DDoS attack ? Find out with netstat !

To find out how many active SYNC_REC are occurring on the server. The number should be pretty low, preferably less than 5. On DoS attack incidents or mail bombs, the number can jump to pretty high. However, the value always depends on system, so a high value may be average on another server.
netstat -n -p | grep SYN_REC | sort -u

List all IP addresses involved.

netstat -n -p | grep SYN_REC | awk '{print $5}' | awk -F: '{print $1}'

List all the unique IP addresses of the nodes that are sending SYN_REC connection status.
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

Use netstat command to calculate and count the number of connections each IP address makes to the server.
netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

List the number of connections the IPs are making to the server using TCP or UDP protocol.
netstat -ntu | grep ESTAB | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr

Check on ESTABLISHED connections instead of all connections, and display the number of connections for each IP.
netstat -plan|grep :80|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -nk 1

Show a list IP addresss and its number of connections that are connecting to port 80 on the server. Port 80 is used mainly by the HTTP protocol. Tags: DDoS, DoS, Netstat 4 replies

1. mkhuda says: May 7, 2013 at 3:17 PM my website is run very slowly at sometimes. . i think its ddos or maybe server maintenance. . Reply

2. thokling says: November 18, 2013 at 7:49 AM If your Website is running slow and you have shell access, run top. The first line contains the load average of the system: each 1.00 means a full CPU worth of processing power is being used. If that appears untoward, then the regularly-updating list of processes underneath the highlighted bar can help. %CPU is the important field: 100% means its using a full CPU worth of processing power. If any process is hogging the CPU for an undesired amount of time, research ways to reduce the CPU footprint of that process. Either its not configured properly, it needs to be replaced, or the

2 of 4

Are you under a DoS or DDoS attack ? Find out with netstat !

VM sharing system of the host is not that efficient. Reply

3. Anon says: November 22, 2013 at 4:14 AM Most of these do not work on my machine. Running Windows 7 Ultimate. Reply

4. Hasan Demir says: January 8, 2014 at 1:40 PM I needed it Reply

Leave a Reply
Want to join the discussion? Feel free to contribute!

Leave a Reply
Your email address will not be published. Required fields are marked * Name * Email * Website

Comment You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym
title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

SECURITY

3 of 4

Are you under a DoS or DDoS attack ? Find out with netstat !

BUSINESS HOURS
Our support desk is available 24 hours a day but replies on weekends may take longer than normal - you can also contact us on the following number during business hours: 0141 416 7912 Monday-Friday: 24 Hours Saturday: 8am to 2pm Sunday: Limited

SafeSrv.net
We strive to provide the best services by focusing on support, security and reliability. You need not pay a high amount for premium support or services, we supply all the tools and services that you require to run your business safely, smoothly and efficiently. TwitterFollowersSubscribeto RSS Feed Copyright 2013 SafeSrv.net | All Rights Reserved Terms and Conditions AUP Privacy Policy VPN Service Adding reCaptcha To a Contact Form Page on WordPress on my server ? How do i block PHP shells from running

4 of 4