Help - DDOS Attack

Question

I am under a DDOS attack. I'm trying to locate the IP address that is making 1100+ connections, however, when running the following command, it shows a 1100+ connection, but the ip address column is blank. By the way, I'm using CSF firewall to block connections.

netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

This is what it returns. Notice the blank column next to "1157".

      1    xxx.xx.xx.xxx
      1    xx.xxx.xxx.xx
      2    xx.xxx.xxx.xxx
      2    xx.xx.xxx.xxx
      3    xx.xxx.xxx.xx
     63    xx.xxx.xxx.xxx
   1157

How can I find that missing IP address?

Thanks.

Unless your netstat is completely different than mine, you have 1157 *listening* (not connected) IPv6 sockets. These (shown as :::*) are the only ones that come out blank. Run `netstat -anp` by itself and pick a few lines that don't have any of those IP addresses you found, and show us what you're getting. — DerfK, Jul 14 '11 at 18:51

MrTuttle · Answer 1 · 2011-07-14T18:52:59.143

2

netstat is returning connections like this:

udp 0 0 :::57817 :::*

which, if piped into "cut -d: f1", will return a blank line.

that said, and apologies if this seems condecending, how do you know that you're being DDoS'd?

edited Jul 14 '11 at 18:52

answered Jul 14 '11 at 18:47

MrTuttle

1,166
5
5

Help - DDOS Attack

1 Answers1