1

I have a server, today load of my server over 20, i was found a command that detect alive connection to server for DDOS detection and reject IP.

netstat -anp | grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

and result of this command was:

  1 109.162.158.160
  1 109.162.192.55
  1 127.0.0.1
  1 206.217.193.220
  1 91.99.170.69
  2 66.197.219.236
  5 213.152.172.169
 32 0.0.0.0
583

583 connection without IP, how can i fix this problem? server load over 20

tnx for your help.

Akbar
  • 11
  • 1
  • 1
  • 2
  • 2
    When you say "how can I fix this promlem?" Do you mean, the problem of being DDoS'ed or for actively monitoring of it? – jwbensley Jun 30 '12 at 12:25

1 Answers1

7

It probably wasn't a dDOS attack with that small a level of connected IPs.

The final line represents the output from netstat -anp where there is no foreign address actually defined. If the port is not yet established, the port number is shown as an asterisk (*) - likely UDP ports.

There are a lot of handy one-liner netstat commands to evaluate connections

Show number of connections by state

netstat -nat | awk '{print $6}' | sort | uniq -c | sort -n

Show all IPs connected

netstat -nat | awk '{ print $5}' | cut -d: -f1 | sed -e '/^$/d' | uniq

Show number of connections per IP

netstat -atun | awk '{print $5}' | cut -d: -f1 | sed -e '/^$/d' |sort | uniq -c | sort -n

Referenced from Cyberciti

Ben Lessani
  • 5,174
  • 16
  • 37