Sunday, 29 January 2012

Few steps to be taken when you feel that the server is under DDOS attack:

Few steps to be taken when you feel that the server is under DDOS attack:
Step 1: Check the load using the command "w".

Step 2: Check which service is utilizing maximum CPU by "nice top".

Step 3: Check which IP address is taking maximum connection using the command:

netstat -anpl|grep :80|awk {'print $5'}|cut -d":" -f1|sort|uniq -c|sort -n


Note: 'print $5' indicates the IP address which are having connections from external.

Step 4: Check the IP address of the server having maximum connection using the command:

netstat -alpn | grep :80 | awk '{print $4}' | cut -d: -f1 |sort |uniq -c
or
## netstat -alpn | grep :80 | awk '{print $4}' |awk -F: '{print $(NF-1)}' |sort |uniq -c 


Note: 'print $4' indicates the IP address which is configured in the server.

Step 5: Then block the IP address using APF firewall "apf -d <IP address>" or using CSF firewall "csf -d <IP address

No comments: