How to detect DDOS attacks

I will give examples of viewing the number of active compounds:

netstat -an | wc -l
netstat -anop
cat /proc/net/ip_conntrack | wc -l
netstat -anp | grep 'tcp\|udp' | cut -d: -f1| sort | uniq -c
netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

Examples of viewing connections per port, for example 80:

netstat -na | grep :80 | wc -l
netstat -na | grep :80 | grep syn
netstat -na | grep ":80\ " | grep syn
netstat -na | grep ":80\ " | grep SYN | wc -l
netstat -na | grep ":80\ " | grep SYN | sort -u | more
netstat -na | grep ":80\ " | grep SYN_RCVD
netstat -na | grep ":80\ " | sort | uniq -c | sort -nr | less

Definition of SYN attack:

netstat -n --tcp | grep SYN_RECV
netstat -n --tcp | grep SYN_RECV | wc -l

View the number of Apache2 processes:

ps aux | grep apache | wc -l

Apache2 status:

apachectl status

View the Apache2 logs /var/log/apache2/error.log, /var/log/apache2/access.log, …
View in logs the number of requests from ip addresses:

cat /var/log/apache2/access.log | awk '{print $1}' | sort | uniq -c

Which domain are the most frequently requested requests:

tcpdump -npi eth0 port domain

View network interface downloads:

sudo cat /proc/net/dev

View open ports:

netstat -na|grep LISTEN
nmap -r -v -O 127.0.0.1
Did my article help you? How about buying me a cup of coffee as an encouragement? Buy me a coffe.

Leave a comment

Leave a Reply