Introduction If your server is running slowly, it could be due to various issues such as poorly written scripts. However, it might also be a result of someone flooding your server with traffic, known as a DoS (Denial of Service) or DDoS (Distributed Denial of Service) attack. Additionally, your server itself could be part of a botnet, being used to attack other networks. To address this, it is wise to run scans with software such as ClamAV and RootKit Hunter as a precaution. Whenever a client connects to a server via a network, a connection is established and maintained on the system. On a busy, high-load server, the number of active connections can reach hundreds or even thousands. Use the following netstat commands to get a list of connections on the server and to determine if your server is under attack or participating in one. netstat -na Displays all active Internet connections to the server, including only established connections. netstat -an | grep :80 | sort Shows active Internet connections to the server on port 80 and sorts the results. This can help detect a single flood by identifying multiple connections from the same IP. netstat -n -p | grep SYN_RECV | wc -l Determines how many active SYN_RECV connections are occurring on the server. The number should typically be low, preferably less than 5. During DoS attacks or mail bombs, this number can spike. However, what's considered high can vary by system. netstat -n -p | grep SYN_RECV | sort -u Lists all IP addresses involved in SYN_RECV connections. netstat -n -p | grep SYN_RECV | awk '{print $5}' | awk -F: '{print $1}' Lists all unique IP addresses sending SYN_RECV connection statuses. netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n Calculates and counts the number of connections each IP address makes to the server using the netstat command. netstat -anp | grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n Lists the number of connections each IP address is making to the server using TCP or UDP protocols. netstat -ntu | grep ESTAB | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr Checks established connections and displays the number of connections for each IP address. netstat -plan | grep :80 | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nk 1 Shows a list of IP addresses and the number of connections to port 80 on the server. Port 80 is primarily used by the HTTP protocol.

Identify a DoS/DDoS Attack

Freya VPS Hosting Team

Introduction

If your server is running slowly, it could be due to various issues such as poorly written scripts. However, it might also be a result of someone flooding your server with traffic, known as a DoS (Denial of Service) or DDoS (Distributed Denial of Service) attack. Additionally, your server itself could be part of a botnet, being used to attack other networks. To address this, it is wise to run scans with software such as ClamAV and RootKit Hunter as a precaution.

Whenever a client connects to a server via a network, a connection is established and maintained on the system. On a busy, high-load server, the number of active connections can reach hundreds or even thousands. Use the following netstat commands to get a list of connections on the server and to determine if your server is under attack or participating in one.

netstat -na
Displays all active Internet connections to the server, including only established connections.
netstat -an | grep :80 | sort
Shows active Internet connections to the server on port 80 and sorts the results. This can help detect a single flood by identifying multiple connections from the same IP.
netstat -n -p | grep SYN_RECV | wc -l
Determines how many active SYN_RECV connections are occurring on the server. The number should typically be low, preferably less than 5. During DoS attacks or mail bombs, this number can spike. However, what's considered high can vary by system.
netstat -n -p | grep SYN_RECV | sort -u
Lists all IP addresses involved in SYN_RECV connections.
netstat -n -p | grep SYN_RECV | awk '{print $5}' | awk -F: '{print $1}'
Lists all unique IP addresses sending SYN_RECV connection statuses.
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
Calculates and counts the number of connections each IP address makes to the server using the netstat command.
netstat -anp | grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
Lists the number of connections each IP address is making to the server using TCP or UDP protocols.
netstat -ntu | grep ESTAB | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr
Checks established connections and displays the number of connections for each IP address.
netstat -plan | grep :80 | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nk 1
Shows a list of IP addresses and the number of connections to port 80 on the server. Port 80 is primarily used by the HTTP protocol.