I have found a very interesting article in linuxaria on how to detect if our Server is under attack DDoS (Distributed Denial of Service), Or what is the same, Denial of Services Attack.
This type of attack is quite common and may be the reason why our servers are somewhat slow (although it can also be a Layer 8 problem) and it never hurts to be forewarned. To do this, you can use the tool netstat, which allows us to see network connections, route tables, interface statistics and other series of things.
NetStat Examples
netstat -na
This screen will include all active Internet connections on the server and only established connections.
netstat -an | grep: 80 | sort
Show only active Internet connections to the server on port 80, which is the http port, and sort the results. Useful in detecting a single flood (flood) so it allows recognizing many connections from an IP address.
netstat -n -p | grep SYN_REC | wc -l
This command is useful to know how many active SYNC_RECs are occurring on the server. The number should be quite low, preferably less than 5. In incidents of denial of service attacks or mail bombs, the number can be quite high. However, the value is always system dependent, so a high value may be normal on another server.
netstat -n -p | grep SYN_REC | sort -u
Make a list of all the IP addresses of those involved.
netstat -n -p | grep SYN_REC | awk '{print $ 5}' | awk -F: '{print $ 1}'
List all the unique IP addresses of the node that are sending the SYN_REC connection status.
netstat -ntu | awk '{print $ 5}' | cut -d: -f1 | sort | uniq -c | sort -n
Use the netstat command to calculate and count the number of connections from each IP address that you make to the server.
netstat -anp | grep 'tcp | udp' | awk '{print $ 5}' | cut -d: -f1 | sort | uniq -c | sort -n
Number of IP addresses that connect to the server using the TCP or UDP protocol.
netstat -ntu | grep ESTAB | awk '{print $ 5}' | cut -d: -f1 | sort | uniq -c | sort -nr
Check the connections marked ESTABLISHED instead of all connections, and show the connections for each IP.
netstat -plan | grep: 80 | awk {'print $ 5'} | cut -d: -f 1 | sort | uniq -c | sort -nk 1
Shows and list of IP addresses and their number of connections that connect to port 80 on the server. Port 80 is used primarily by HTTP for Web requests.
How to mitigate a DOS attack
Once you have found the IP that the server is attacking you can use the following commands to block their connection to your server:
iptables -A INPUT 1 -s $ IPADRESS -j DROP / REJECT
Note that you have to replace $ IPADRESS with the IP addresses that have been found with netstat.
After firing the above command, KILL all httpd connections to clean up your system and restart it later using the following commands:
killall -KILL httpd
service httpd start # For Red Hat systems / etc / init / d / apache2 restart # For Debian systems
Source: linuxaria
Mozilla is forced to add DRM to videos in Firefox
http://alt1040.com/2014/05/mozilla-drm-firefox
I know it has nothing to do with the post. But I would like to know what you think about this. The good thing is that it can be disabled.
Man, for debates is forum.
You who are an iproute2 man, try 'ss' ...
I agree with Elav, the forum is for something ... I will not delete the comment but, please, make use of the spaces provided for each thing.
Instead of grep, egrep
netstat -anp | grep 'tcp | udp' | awk '{print $ 5}' | cut -d: -f1 | sort | uniq -c | sort -n
by
netstat -anp | egrep 'tcp | udp' | awk '{print $ 5}' | cut -d: -f1 | sort | uniq -c | sort -n
This is going to be for a project that I am going to set up where there are many possibilities of being DDoS targets
Thank you very much for the information, lately the competition is heavy on the subject.