How do you know if you’re being attacked with Denial of Service?

2 years ago
Uirá Endy Ribeiro
2 minutes

Denial of Service attacks are difficult to mitigate, since they generally involve normal connections and normal traffic, but in an abundant way, until the server has no more resources to resolve requests and the service becomes unavailable.

One of the ways to check if there are too many connections and where they come from is with the netstat command.

The simplest way is to list the connections with the netstat -an command

$ netstat -an

Active Internet Connections (servers and established)

Proto Recv-Q Send-Q Local Address Foreign Address ; State

cp 0 0 0.0.0. 0:11211 ; 0.0.0.0: * LISTEN TO

tcp 0 0 0.0.0. 0:80 0.0.0.0: * LISTEN

tcp 0 0 0.0.0. 0:22 & nbsp; 0.0.0.0: * LISTEN TO

tcp 0 & nbsp; 0 0.0.0. 0:443 0.0.0.0: * LISTEN

;

tcp 0 0 127.0.0. 1:11211 127.0.0. 1:51898

TCP 0 0 127.0.0 established. 1:11211 127.0.0. 1:51570

TCP 0 0 127.0.0 ESTABLISHED. 1:11211 & nbsp; 127.0.0. 1:53800

ESTABLISHED

tcp 0 0 127.0.0. 1:53800

127.0.0. 1:11211

TCP 0 ESTABLISHED 0 127.0.0. 1:11211 127.0.0. 1:52002 ESTABLISHED

But that’s hard to count, as denial of service attack connections are fast.

The feasible option, even with the netstat command, is:

$ netstat -ntu | grep ESTAB | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -nr

34 127.0.0.1

1 50.31.164.148

1 50.31.164.147

1 50.31.164.146

1 35.155.143.94

1 10.8.0.6

In this way, this command will count the connections established by source IP address.

You can also make a change to the command above, to list, for example, only the connections on port 80:

$ netstat -lan|grep:80|awk {‘print $5’} |cut -d: -f 1|sort|uniq -c|sort -nk 1

1 0.0.0.0

1 169. 254.169.254

2 127.0.0.1

64 149.56.180.254

In this example, this server is suffering a SYN_SENT attack from IP 149.56.180.254 with 64 connections, which can be confirmed through Netstat:

netstat -an|grep 149.56.180.254

tcp 0 0 172.30.1. 187:80 149.56.180.254:38165 SYN_RECV tcp

0 0 172.30.1.

187:80 149.56.180.254:5557 SYN_RECV tcp 0 0 172.30.1. 187:80 149.56.180.254:3605 SYN_RECV

TCP 0 0 172.30.1. 187:80 149.56.180.254 :18728 SYN_RECV

tcp 0 0 172.30.1. 187:80

149.56.180.254:35138

SYN_RECV tcp 0 0 172.30.1. 187:80 149.56.180.254:23965 SYN_RECV & nbsp;

tcp 0 0 172.30.1. 187:80 149.56.180.254:41358 SYN_RECV

tcp 0 0 172.30.1. 187:80

149.56.180.254:4263

SYN_RECV tcp 0 0 172.30.1. 187:80 149.56.180.254:52759 SYN_RECV

;

In this case, we can set up an IPTABLES rule to DROP all connections coming from this address:

# iptables -I INPUT -s 149.56,180,254 -j DROP

Running Netstat again we can see that the requests for SYN connections are gone:

# netstat -plan|grep:80|awk {‘print $5’} |cut -d: -f 1|sort|uniq -c|sort -nk 1

1 0.0.0.0

1 169.254.169.254

2 127.0.0.1

Did you like this post? Discover the Iptables Firewall course and the Pfsense online training, from Linux Certification

Learn much more about Linux in our online course. You can enroll here with a free 7-day trial. If you already have an account, you can log in here.

Did you like it? Share 🙂

Uirá Endy Ribeiro

Uirá Endy Ribeiro is a Software Developer and Cloud Computing Architect with a 23-year career. He has master's degrees in computer science and fifteen IT certifications and is the author of 11 books recognized in the IT world market. He is also Director at Universidade Salgado de Oliveira and Director of the Linux Professional Institute - LPI Director's Board.

Tweet
Share
Pin
Share
0 Shares
Leave a Reply 0

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Need help?