How do you know if you're being attacked with Denial of Service?
Denial of Service attacks are difficult to mitigate, since they generally involve normal connections and normal traffic, but in an abundant way, until the server has no more resources to resolve requests and the service becomes unavailable.
One of the ways to check if there are too many connections and where they come from is with the netstat command.
The simplest way is to list the connections with the netstat -an command
$ netstat -an
Active Internet Connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address ; State
cp 0 0 0.0.0. 0:11211 ; 0.0.0.0: * LISTEN TO
tcp 0 0 0.0.0. 0:80 0.0.0.0: * LISTEN
tcp 0 0 0.0.0. 0:22 & nbsp; 0.0.0.0: * LISTEN TO
tcp 0 & nbsp; 0 0.0.0. 0:443 0.0.0.0: * LISTEN
; tcp 0 0 127.0.0. 1:11211 127.0.0. 1:51898
TCP 0 0 127.0.0 established. 1:11211 127.0.0. 1:51570
TCP 0 0 127.0.0 ESTABLISHED. 1:11211 & nbsp; 127.0.0. 1:53800
ESTABLISHED tcp 0 0 127.0.0. 1:53800
127.0.0. 1:11211 TCP 0 ESTABLISHED 0 127.0.0. 1:11211 127.0.0. 1:52002 ESTABLISHED
But that’s hard to count, as denial of service attack connections are fast.
The feasible option, even with the netstat command, is:
$ netstat -ntu | grep ESTAB | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -nr
34 127.0.0.1
1 50.31.164.148
1 50.31.164.147 1 50.31.164.146
1 35.155.143.94
1 10.8.0.6
In this way, this command will count the connections established by source IP address.
You can also make a change to the command above, to list, for example, only the connections on port 80:
$ netstat -lan|grep:80|awk {‘print $5’} |cut -d: -f 1|sort|uniq -c|sort -nk 1
1 0.0.0.0
1 169. 254.169.254
2 127.0.0.1
64 149.56.180.254
In this example, this server is suffering a SYN_SENT attack from IP 149.56.180.254 with 64 connections, which can be confirmed through Netstat:
netstat -an|grep 149.56.180.254
tcp 0 0 172.30.1. 187:80 149.56.180.254:38165 SYN_RECV tcp
0 0 172.30.1.
187:80 149.56.180.254:5557 SYN_RECV tcp 0 0 172.30.1. 187:80 149.56.180.254:3605 SYN_RECV
TCP 0 0 172.30.1. 187:80 149.56.180.254 :18728 SYN_RECV
tcp 0 0 172.30.1. 187:80
149.56.180.254:35138SYN_RECV tcp 0 0 172.30.1. 187:80 149.56.180.254:23965 SYN_RECV & nbsp;
tcp 0 0 172.30.1. 187:80 149.56.180.254:41358 SYN_RECV
tcp 0 0 172.30.1. 187:80
149.56.180.254:4263SYN_RECV tcp 0 0 172.30.1. 187:80 149.56.180.254:52759 SYN_RECV
; In this case, we can set up an IPTABLES rule to DROP all connections coming from this address:
# iptables -I INPUT -s 149.56,180,254 -j DROP
Running Netstat again we can see that the requests for SYN connections are gone:
# netstat -plan|grep:80|awk {‘print $5’} |cut -d: -f 1|sort|uniq -c|sort -nk 1
1 0.0.0.0
1 169.254.169.254
2 127.0.0.1
Did you like this post? Discover the Iptables Firewall course and the Pfsense online training, from Linux Certification
Learn much more about Linux in our online course. You can enroll here with a free 7-day trial. If you already have an account, you can log in here.