Differences

This shows you the differences between two versions of the page.

--- ubuntu:network:finding_ddos_attacks [2021/01/08 12:14] – [Identify the attacker] peter
+++ ubuntu:network:finding_ddos_attacks [2021/01/08 12:31] (current) – removed peter
@@ Line 1: / Line 1: @@
-====== Ubuntu - Network - Finding DDOS attacks ======
-Some useful commands to check during DDOS attack.
-----
-===== List the connections to the target IPs =====
-<code bash>
-netstat -alpn | grep :80 | awk '{print $4}' |awk -F: '{print $(NF-1)}' |sort |uniq -c | sort -n
-</code>
-----
-===== List connections from source IPs =====
-<code bash>
-netstat -alpn | grep :80 | awk '{print $5}' |awk -F: '{print $(NF-1)}' |sort |uniq -c | sort -n
-</code>
-----
-===== See the state of each connection =====
-<code bash>
-netstat -an|grep ":80"|awk '/tcp/ {print $6}'|sort| uniq -c
-</code>
-----
-===== Identify the attacker =====
-<code bash>
-tcpdump -c -n -i eth0 -p host IP_Address
-</code>
-Check the Output of ifconfig.
-For Example:
-<code bash>
-tcpdump -c 100 -i br0 -p host 5.42.134.35
-</code>
-----
-===== Check if a server is under a DoS attack =====
-<code bash>
-netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n|wc -l
-</code>
-If the output of below command returns a result like 2000 or 3000 connections!, then obviously it’s very likely the server is under a DoS attack.
-----
-===== Detect a SYN flood =====
-<code bash>
-netstat -nap | grep SYN | wc -l
-</code>
-If the output returns a value of 1032,1032 SYNs per second is quite a high number and except if the server is not serving let’s say 5000 user requests per second, therefore as the above output reveals it’s very likely the server is under attack, if however I get results like 100/200 SYNs, then obviously there is no SYN flood targeting.
-----
-===== Check for a UDP Denial of Service =====
-<code bash>
-netstat -nap | grep 'udp' | awk '{print $5}' | cut -d: -f1 | sort |uniq -c |sort -n
-</code>
-The above command will list information concerning possible UDP DoS.
-The command can easily be accustomed also to check for both possible TCP and UDP denial of service, like so :
-<code bash>
-netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
-</code>
-You can see the output as :
-<code>
-109.161.198.86
-112.197.147.216
-212.10.160.148
-201.13.27.137
-91.121.85.220
-</code>
-If after getting an IP that has too many connections to the server and is almost certainly a DoS host you would like to filter this IP.
-----
-===== Remove hosts to not be able to route packets to the server =====
-<code bash>
-route add 110.92.0.55 reject
-</code>
-The above command would null route the access of IP 110.92.0.55 to my server.
-Later on to look up for a null routed IP to my host, I use:
-<code bash>
-route -n |grep -i 110.92.0.55
-</code>
-----
-===== Useful commands =====
-. tcpdump -i igb1 -nnn -c 10 dst port 80 host
-This is for freebsd cmd where "igb1" is the netwok interface name
-. time tcpdump -i igb1 -nnn -c 1000 dst port 80 host 192.168.0.5 | tail
-. tail -1000 /var/log/nginx/access.log | awk '{print $1}' | sort | uniq -c | sort -b -k1 -n | tail
-. netstat -n | awk '{ print $5 }' | cut -d ":" -f 1 | grep "[1-9]" | sort | uniq -c | sort -n
-. awk '{print $5}' /proc/net/ip_conntrack|sort |uniq -c |sort -rn |head -25 | column -t
-. netstat -nt | grep :80 | wc -l
-. tcpdump -A dst 192.168.1.14 -s 500 | grep -i refer
-. tcpdump -i eth0 -vvv -nn -s 1700 -w ddos
-tcpdump -nn -vv -r ddos | awk '{print $18}' | awk -F\. '{print $1"."$2"."$3"."$4}' | sort | uniq -c | sort -rn | head -25
-. /usr/local/apache/bin/apachectl fullstatus