Abril 11

Finding DDOS attacks

Below are some of the useful netstat commands to check during DDOS attack.

To list the connections to the target IPs (server’s IP’s) use the below command :

netstat -alpn | grep :80 | awk ‘{print $4}’ |awk -F: ‘{print $(NF-1)}’ |sort |uniq -c | sort -n

To list the connections from source IP’s use the below command:

netstat -alpn | grep :80 | awk ‘{print $5}’ |awk -F: ‘{print $(NF-1)}’ |sort |uniq -c | sort -n

To see the state of each connection and the value use the below command:

netstat -an|grep “:80″|awk ‘/tcp/ {print $6}’|sort| uniq -c

You can use tcpdump to identify the attacker too:

tcpdump -c -n -i eth”x” -p host IP_Address

where x can be 0 or 1,n=number(100 or 1000). If it is a VPS, it can be venet0 too. Check the Output of ifconfig.

To check if a server is under a DoS attack with netstat, it’s common to use:

netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n|wc -l

If the output of below command returns a result like 2000 or 3000 connections!, then obviously it’s very likely the server is under a DoS attack.

To detect a SYN flood with netstat :

netstat -nap | grep SYN | wc -l

If the output returns a value of 1032,1032 SYNs per second is quite a high number and except if the server is not serving let’s say 5000 user requests per second, therefore as the above output reveals it’s very likely the server is under attack, if however I get results like 100/200 SYNs, then obviously there is no SYN flood targetting

Checking if UDP Denial of Service is targetting the server :

netstat -nap | grep ‘udp’ | awk ‘{print $5}’ | cut -d: -f1 | sort |uniq -c |sort -n

The above command will list information concerning possible UDP DoS.

The command can easily be accustomed also to check for both possible TCP and UDP denial of service, like so :

netstat -anp |grep ‘tcp\|udp’ | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n

You can see the output as :

104 109.161.198.86
115 112.197.147.216
129 212.10.160.148
227 201.13.27.137
3148 91.121.85.220

If after getting an IP that has too many connections to the server and is almost certainly a DoS host you would like to filter this IP.

Here is how I remove hosts to not be able to route packets to my server:

route add 110.92.0.55 reject

The above command would null route the access of IP 110.92.0.55 to my server.

Later on to look up for a null routed IP to my host, I use:

route -n |grep -i 110.92.0.55

useful commands:
1. tcpdump -i igb1 -nnn -c 10 dst port 80 host
this is for freebsd cmd where “igb1″ is the netwok interface name
2. time tcpdump -i igb1 -nnn -c 1000 dst port 80 host 192.168.0.5 | tail
3. tail -1000 /var/log/nginx_aceess.log | awk ‘{print $1}’ | sort | uniq -c | sort -b -k1 -n | tail
4. netstat -n | awk ‘{ print $5 }’ | cut -d “:” -f 1 | grep “[1-9]” | sort | uniq -c | sort -n

5. awk ‘{print $5}’ /proc/net/ip_conntrack|sort |uniq -c |sort -rn |head -25 | column -t

6. netstat -nt | grep :80 | wc -l

7. tcpdump -A dst 192.168.1.14 -s 500 | grep -i refer

8. tcpdump -i eth0 -vvv -nn -s 1700 -w ddos

 

     tcpdump -nn -vv -r ddos | awk ‘{print $18}’ | awk -F\. ‘{print $1″.”$2″.”$3″.”$4}’ | sort | uniq -c | sort -rn | head -25
9.~]# /usr/local/apache/bin/apachectl fullstatus
Category: SECURITY | Los comentarios están deshabilitados en Finding DDOS attacks