First, [intuitive change] abnormal application

  1. When the network and devices are normal, the server suddenly disconnects, accesses are blocked, and users are disconnected.
  2. The CPU or memory usage of the server increases.
  3. Outbound or inbound traffic increases significantly.
  4. Your business web site or application suddenly has a large number of unknown visits.
  5. The login to the server fails or takes a long time.

If the above situation is found, congratulations! Your server may be under a DDoS attack…

Netstat and DDoS attacks

As mentioned above, DDoS attacks include flood attacks, CC attacks, and slow-speed attacks. For details, see DDoS Series-01. What is a DDoS attack? .

Therefore, we need to confirm its attack mode first, in order to have the target, the right medicine.

Netstat: Displays the network status. The netstat command enables you to know the network status of the entire Linux system. So we can use it for DDoS attack analysis.

1.Open the port for preliminary location

We can start by identifying which ports are currently open, to get a preliminary idea of what kind of attack it might be. There are many ways to view open ports:

  • usenetstat -anoCommand to view all TCP and UDP ports that are open on the server. [Not recommended. Number of public network visible ports <= Number of real open ports]
  • usenmapormasscan Scanning ports externally,Masscan-p0-65535,U:0-65535 Your IP --rate=10000recommended
  • Ping your IPTo check whether ICMP is enabled on the server

Make a preliminary judgment based on the opening of the port:

  • If it’s only onHTTPRelated port, larger may beConnected DDoS attacksorDDoS attacks at the Web application layer;
  • If you turn it onICMPProtocol existsThe ICMP flood attackMay;
  • If openUDP port 53, there isDNS DDoS attacksMay;
  • Otherwise, it may be other types of DDoS attacks…

2. Check DDoS attacks at the HTTP layer

Lists all IP addresses connected to port 80 on the local machine and the number of connections.

netstat -plan|grep :80|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -nk 1
Copy the code

Check whether the port is opened in the previous step. Here, 80 is used as an example.

Displays network connections for all ports 80 sorted by IP address.

netstat -an | grep :80 | sort
Copy the code

If you see a large number of connections to the same IP address, you can identify a single point of traffic attack.

Displays the current total number of connections (one value only)

netstat -an | grep :80 | sort | wc -l
Copy the code

Lists all IP addresses connected to port 80 on the local machine and the number of connections.

netstat -plan|grep :80|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -nk 1
Copy the code

Check the ESTABLISHED connection (that is, the connection) and list the number of connections for each IP address.

netstat -ntu | grep ESTAB | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr
Copy the code

Count the number of connections per IP connection to the local machine.

netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
Copy the code

If there are dozens, or even hundreds, or thousands of connections per IP, it could be a normal CC attack. They can make multiple malicious requests for one IP, consuming your bandwidth and resources.

If the number of connections for each IP address is small but the number of IP addresses is large, and both IP addresses are basically ESTABLISHED, the attack may be slow HTTP.

3. Check for other attack types

Lists the number of SYNC_REC connections that are locally active (one value only).

netstat -n -p|grep SYN_REC | wc -l
Copy the code

Normally this value is small, preferably less than 5. This value is quite high when there is a DoS attack or mail bomb. However, this value is very system dependent, and it is normal for some servers to have high values.

Lists natively active SYNC_REC connections.

netstat -n -p | grep SYN_REC | sort -u
Copy the code

Lists the IP addresses of all nodes that send SYN_REC connections.

netstat -n -p | grep SYN_REC | awk '{print $5}' | awk -F: '{print $1}'
Copy the code

Lists the number of IP addresses for all UDP or TCP connections to this host.

netstat -anp |grep 'tcp|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
Copy the code

You can also use network monitoring tools such as IPtraf to view the current TCP, UDP, and ICMP protocols and traffic statistics on different ports. If a port has heavy traffic, analyze the port.

[DDoS series -03] Zhong Nanshan: Five ways to fight DDoS

Well, that’s all for today’s sharing.

If you like this article, please pay attention to the public account: Open ape notes, there will be continuous updates!