Shulou(Shulou.com)06/01 Report--

This article mainly shows you "how to use netstat to verify DDOS intrusion under Linux", the content is easy to understand, clear, hope to help you solve your doubts, the following let the editor lead you to study and learn "how to use netstat to verify DDOS intrusion under Linux".

Distributed denial of Service (Distributed Denial of Service, referred to as DDoS) combines multiple computers as an attack platform, and makes use of malicious programs to launch DDoS attacks on one or more targets through remote connections, which consumes the performance of the target server or network bandwidth, resulting in the server can not provide services normally.

Some examples and explanations of netstat-na

This command displays all active network connections.

Netstat-an | grep: 80 | sort

Show and sort the network connections for all ports 80. Port 80 here is a http port, so it can be used to monitor web services. If you see a large number of connections to the same IP, you can determine a single point of traffic attack.

Netstat-n-p | grep SYN_REC | wc-l

This command finds out how many active SYNC_REC connections there are on the current server. Normally, this value is very small, preferably less than 5. This value is quite high when there is a Dos attack or mail bomb. However, this value has a lot to do with the system, and some servers have high values, which is a normal phenomenon.

Netstat-n-p | grep SYN_REC | sort-u

List all connected IP addresses.

Netstat-n-p | grep SYN_REC | awk'{print $5}'| awk-F:'{print $1}'

Lists the IP addresses of all sending SYN_REC connection nodes.

Netstat-ntu | awk'{print $5}'| cut-d:-F1 | sort | uniq-c | sort-n

Use the netstat command to calculate the number of connections to the local machine for each host.

Netstat-anp | grep 'tcp | udp' | awk' {print $5}'| cut-d:-F1 | sort | uniq-c | sort-n

Lists the number of IP of all UDP or TCP connections connected to this machine.

Netstat-ntu | grep ESTAB | awk'{print $5}'| cut-d:-F1 | sort | uniq-c | sort-nr

Check ESTABLISHED connections and list the number of connections per IP address.

Netstat-plan | grep: 80 | awk {'print $5'} | cut-d:-f 1 | sort | uniq-c | sort-nk 1

List all IP addresses connected to port 80 of this machine and their number of connections. Port 80 is generally used to handle HTTP web page requests.

How to reduce DOS attacks

Once you have obtained the IP address of the attacking server, you can use the following command to deny all connections to this IP.

Iptables-An INPUT 1-s $IPADRESS-j DROP/REJECT

Note that you need to replace $IPADRESS with the IP address that needs to reject the connection.

After executing the above command, use the following command to end all httpd connections to clean up the system.

Killall-KILL httpd

Then execute the following command to restart the httpd service.

Service httpd start # RedHat system / etc/init/d/apache2 restart # Debian system above is all the contents of the article "how to use netstat to verify DDOS intrusion under Linux". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.