How to check DDOS attack with command-line on Linux

Your server appearing pretty slow could be many things from wrong configs, scripts, and dodgy hardware – but sometimes it could be because someone is flooding your server with traffic known as DoS (Denial of Service) or DDoS (Distributed Denial of Service).

A denial-of-service attack (DoS attack) or Distributed Denial-of-service attack (DDoS attack) is an attempt to make a machine or network resource unavailable to its intended users. This attack generally target sites or services hosted on high-profile web servers such as banks, credit card payment gateways, and even root nameservers. DoS attacks are implemented by either forcing the targeted computer to reset or consuming its resources so that it can no longer provide its services or obstructs the communication media between the users and the victim so that they can no longer communicate adequately.

In this article, you’ll see how to check if your server is under ddos attack from the Linux terminal with the netstat command.

netstat – Print network connections, routing tables, interface statistics, masquerade connec‐
tions, and multicast memberships

  • netstat -na
    This command displays all active Internet connections to the server and only established connections are included.
  • netstat -an | grep :80 | sort
    Show only active Internet connections to the server on port 80, this is the http port and so it’s useful if you have a web server, and sort the results. Useful in detecting a single flood by allowing you to recognize many connections coming from one IP.
  • netstat -n | grep :80 | grep SYN_RECV|wc -l
    This command is useful to find out how many active SYNC_REC are occurring on the server. The number should be pretty low, preferably less than 5. On DoS attack incidents or mail bombs, the number can jump to pretty high. However, the value always depends on the system, so a high value may be average on another server.
  • netstat -n -p | grep SYN_REC | awk ‘{print $5}’ | awk -F: ‘{print $1}’
    List all the unique IP addresses of the node that are sending SYN_REC connection status.

     

  • netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n
    Use the netstat command to calculate and count the number of connections each IP address makes to the server.

     

  • netstat -anp |grep ‘tcp|udp’ | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n
    List count of the number of connections the IPs are connected to the server using TCP or UDP protocol.

     

  • netstat -ntu | grep ESTAB | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -nr
    Check on ESTABLISHED connections instead of all connections, and displays the connections count for each IP.

     

  • netstat -plan|grep :80|awk {‘print $5’}|cut -d: -f 1|sort|uniq -c|sort -nk 1
    Show and list IP address and its connection count that connect to port 80 on the server. Port 80 is used mainly by the HTTP web page request.