How to identify that your under DDos attack using netstat command!

How do you identify that you are under DDoS Attack? There can be several reasons why your server is performing slow or high CPU usage. There can be a misconfiguration in code, scripts, or cheap hardware. But sometimes it could be due to a DDoS attack on your server or network DoS (Denial of Service) or DDoS (Distributed Denial of Service).

What will be the countermeasures to prevent DDoS attacks?

There are two ways that we can use it to stop or migrate the attack.

• Load Balancing
• Throttling

What is Load Balancing?

It can be stopped if your bandwidth providers increase their bandwidth usage in case of a DDoS attack to prevent your servers from going down.

What is Throttling?

Min-max fair server-centric router throttle can be used to prevent the servers from going down. This method enables the routers in managing heavy incoming traffic so that the server can handle it. It can be used to filter legitimate user traffic from fake DDoS attack traffic.

There are many ways to identify that you are under DDoS attack other-then netstat command.

For example, You can use Wireshark and observe the SYN packets.

For this tutorial, we’re gonna use netstat command which works on Linux/Windows/Mac you can use these commands on nearly every operating system.

• For Windows, you need a command prompt (CMD).
• For Linux/Mac you need a terminal.

Netstat MAN:

netstat -na

This display all active Internet connections to the server and only established connections are included.

netstat -an | grep :80 | sort

Show only active Internet connections to the server on port 80, this is the HTTP port and so it’s useful if you have a web server, and sort the results. Useful in detecting a single flood by allowing you to recognize many connections coming from one IP.

netstat -n -p|grep SYN_REC | wc -l

This command is useful to find out how many active SYNC_REC are occurring on the server. The number should be pretty low, preferably less than 5. On DoS attack incidents or mail bombs, the number can jump pretty high. However, the value always depends on the system, so a high value may be average on another server.

netstat -n -p | grep SYN_REC | sort -u

List out all IP addresses involved instead of just counting.

netstat -n -p | grep SYN_REC | awk ‘{print $5}’ | awk -F: ‘{print $1}’

List all the unique IP addresses of the node that are sending SYN_REC connection status.

netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n

Use netstat command to calculate and count the number of connections each IP address makes to the server.

netstat -anp |grep ‘tcp|udp’ | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n

List count of a number of connections the IPs are connected to the server using TCP or UDP protocol.

netstat -ntu | grep ESTAB | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -nr

Check on ESTABLISHED connections instead of all connections, and displays the connections count for each IP.

netstat -plan|grep :80|awk {‘print $5’}|cut -d: -f 1|sort|uniq -c|sort -nk 1

Show and list the IP address and its connection count that connect to port 80 on the server. Port 80 is used mainly by HTTP web page requests.

Using these commands you will be able to identify the IP Address from where the DDos is coming from, So how we can prevent it?

We have two options:

• Load Balancing
• Throttling

We can use the Load Balancing method to prevent this attack but most of the time our host will not provide more bandwidth to counter this attack, but you can give it a try to prevent your site to be crash and later you can fix this issue with your script or memory leak or hiding your Server IP Address.

How to protect your Server IP Address by Cloud-flare integration?

Cloudflare is a free Basic CDN service that is quite good, It helps your websites load perfectly and handle some CPU load. It also prevents DDoS attacks on your Website by masking your real server IP Address. I will recommend everyone to use Cloudflare and prevent DDoS attacks and save bandwidth.

Okay, now we have another option which is Throttling right? This migrates tutorial is for Linux only.

How do migrate DDos Attacks after you identify them?

Once you have identified the IP Address from where the DDos is happening we can migrate to countermeasure this attack and block the IP Address.

To do that:

iptables -A INPUT 1 -s $IPADRESS -j DROP/REJECT

Please note that you have to replace $IPADRESS with the IP numbers that you have found with netstat. After firing the above command, KILL all httpd connections to clean your system and then restart httpd service by
using the following commands:

killall -KILL httpd

service httpd start #For Red Hat systems

/etc/init/d/apache2 restart #For Debian systems

And you’re done! We saved you! 🙂