====== Ubuntu - Networking - Finding DDOS attacks ======
Some useful commands to check during DDOS attack.
**NOTE:** The **netstat** command has been superseeded by the **ss** command.
But if your system is old, and **ss** does not work, then simply use **netstat** in place of **ss**.
----
===== List the connections to the target IPs =====
ss -alpn | grep :80 | awk '{print $4}' |awk -F: '{print $(NF-1)}' |sort |uniq -c | sort -n
returns:
1 511
----
===== List connections from source IPs =====
netstat -alpn | grep :80 | awk '{print $5}' |awk -F: '{print $(NF-1)}' |sort |uniq -c | sort -n
returns:
1
1 0.0.0.0
1 123.123.123.123
1 234.234.234.234
----
===== See the state of each connection =====
ss -an|grep ":80"|awk '/tcp/ {print $6}'|sort| uniq -c
returns:
1 [::]:*
1 0.0.0.0:*
1 123.123.123.123:56360
----
===== Identify the attacker =====
tcpdump -c -n -i eth0 -p host IP_Address
returns:
tcpdump -c 100 -i br0 -p host 192.168.1.2
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br0, link-type EN10MB (Ethernet), capture size 262144 bytes
12:39:23.239478 IP server1.sharewiz.net.ssh > peter.sharewiz.net.51864: Flags [P.], seq 829605160:829605348, ack 3653010571, win 62780, length 188
12:39:23.239694 IP peter.sharewiz.net.51864 > server1.sharewiz.net.ssh: Flags [.], ack 188, win 65535, length 0
12:39:23.240455 IP server1.sharewiz.net.ssh > peter.sharewiz.net.51864: Flags [P.], seq 188:488, ack 1, win 62780, length 300
12:39:23.240518 IP server1.sharewiz.net.ssh > peter.sharewiz.net.51864: Flags [P.], seq 488:652, ack 1, win 62780, length 164
12:39:23.240572 IP server1.sharewiz.net.ssh > peter.sharewiz.net.51864: Flags [P.], seq 652:816, ack 1, win 62780, length 164
12:39:23.240645 IP server1.sharewiz.net.ssh > peter.sharewiz.net.51864: Flags [P.], seq 816:980, ack 1, win 62780, length 164
12:39:23.240734 IP server1.sharewiz.net.ssh > peter.sharewiz.net.51864: Flags [P.], seq 980:1144, ack 1, win 62780, length 164
12:39:23.240794 IP server1.sharewiz.net.ssh > peter.sharewiz.net.51864: Flags [P.], seq 1144:1308, ack 1, win 62780, length 164
12:39:23.240821 IP peter.sharewiz.net.51864 > server1.sharewiz.net.ssh: Flags [.], ack 488, win 65535, length 0
12:39:23.240845 IP peter.sharewiz.net.51864 > server1.sharewiz.net.ssh: Flags [.], ack 652, win 65535, length 0
12:39:23.240853 IP server1.sharewiz.net.ssh > peter.sharewiz.net.51864: Flags [P.], seq 1308:1472, ack 1, win 62780, length 164
12:39:23.240862 IP peter.sharewiz.net.51864 > server1.sharewiz.net.ssh: Flags [.], ack 816, win 65535, length 0
12:39:23.240870 IP peter.sharewiz.net.51864 > server1.sharewiz.net.ssh: Flags [.], ack 980, win 65535, length 0
12:39:23.240959 IP server1.sharewiz.net.ssh > peter.sharewiz.net.51864: Flags [P.], seq 1472:1732, ack 1, win 62780, length 260
...
----
===== Check if a server is under a DoS attack =====
ss -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n|wc -l
returns:
2
**NOTE:** If the output returns a result like 2000 or 3000 connections!, then it is very likely the server is under a DoS attack.
----
==== Colourful Output ====
ss -ntu|awk '{print $5}'|cut -d: -f1 -s|sort|uniq -c|sort -nk1 -r | while IFS= read -r line; do if [[ `echo $line | cut -d' ' -f 2` =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then echo -e "\033[0;31m$line"; else echo -e "\033[0;34m$line"; fi; done
returns:
21 192.168.1.69
4 127.0.0.1
2 [fd42
----
===== Detect a SYN flood =====
ss -nap | grep SYN | wc -l
returns:
0
**NOTE:** If the output returns a high value, say over a thousand, this could mean the server is under attack.
This figure will vary depending on usage of the server. A system may intentionally have many thousand users, so a high value here does not always mean there is an SYN Flooding attack.
----
===== Check for a UDP Denial of Service =====
ss -nap | grep 'udp' | awk '{print $5}' | cut -d: -f1 | sort |uniq -c |sort -n
returns:
1 0.0.0.0%virbr0
1 127.0.0.1
1 127.0.0.53%lo
2 0.0.0.0
2 172.17.255.255
2 192.168.0.255
2 192.168.123.255
2 192.168.1.255
3 172.17.0.1
3 192.168.0.2
4 192.168.123.1
13 192.168.1.2
**NOTE:** The above command will list information concerning possible UDP DoS.
The command can easily be accustomed also to check for both possible TCP and UDP denial of service, like so :
ss -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
returns:
1 *
1 0.0.0.0%virbr0
2 127.0.0.53%lo
2 172.17.255.255
2 192.168.0.255
2 192.168.123.255
2 192.168.1.255
4 172.17.0.1
4 192.168.0.2
5 [
5 192.168.123.1
9 127.0.0.1
12 0.0.0.0
23 192.168.1.2
**NOTE:** If a specific IP has too many connections to the server; it is almost certainly a DoS host; so suggestion is to filter this IP.
----
===== Remove hosts to not be able to route packets to the server =====
ip route add blackhole 123.123.123.123.
or
route add 123.123.123.123 reject
The above command would null route the access of IP 123.123.123.123 to my server.
To check the routing for this IP is null:
ip route |grep -i 123.123.123.123
----
===== Useful commands =====
1. tcpdump -i igb1 -nnn -c 10 dst port 80 host
This is for freebsd cmd where "igb1" is the netwok interface name
2. time tcpdump -i igb1 -nnn -c 1000 dst port 80 host 192.168.0.5 | tail
3. tail -1000 /var/log/nginx/access.log | awk '{print $1}' | sort | uniq -c | sort -b -k1 -n | tail
4. netstat -n | awk '{ print $5 }' | cut -d ":" -f 1 | grep "[1-9]" | sort | uniq -c | sort -n
5. awk '{print $5}' /proc/net/ip_conntrack|sort |uniq -c |sort -rn |head -25 | column -t
6. netstat -nt | grep :80 | wc -l
7. tcpdump -A dst 192.168.1.14 -s 500 | grep -i refer
8. tcpdump -i eth0 -vvv -nn -s 1700 -w ddos
tcpdump -nn -vv -r ddos | awk '{print $18}' | awk -F\. '{print $1"."$2"."$3"."$4}' | sort | uniq -c | sort -rn | head -25
9. /usr/local/apache/bin/apachectl fullstatus