How to check if your Linux WebServer is under a DoS attack | Walking in Light with Christ - Faith, Computing, Diary

Walking in Light with Christ Faith, Computing, Diary

Articles & tips and tricks on GNU/Linux, FreeBSD, Windows, mobile phone articles, religious related texts

How to check if your Linux WebServer is under a DoS attack

Best DDoS Detection

prolexic.com/ddos-detection

More Knowledge, More Experience Largest Security Operations Center

There are few commands I usually use to track if my server is possibly under a Denial of Service attack or under Distributed Denial of Service Sys Admins who still have not experienced the terrible times of being under a DoS attack are happy people for sure 1. How to Detect a TCP/IP Denial of Service Attack This are the commands I use to find out if a loaded Linux server is under a heavy DoS attack, one of the most essential one is of course netstat. To check if a server is under a DoS attack with netstat, it's common to use:
linux:~# netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n|wc -l

If the output of below command returns a result like 2000 or 3000 connections!, then obviously it's very likely the server is under a DoS attack. To check all the IPS currently connected to the Apache Webserver and get a very brief statistics on the number of times each of the IPs connected to my server, I use the cmd:
linux:~# netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n 221 80.143.207.107 233 145.53.103.70 540 82.176.164.36

As you could see from the above command output the IP 80.143.207.107 is either connected 221 times to the server or is in state of connecting or disconnecting to the node. Another possible way to check, if a Linux or BSD server is under a Distributed DoS is with the list open files command lsof Here is how lsof can be used to list the approximate number of ESTABLISHED connections to port 80.
linux:~# lsof -i TCP:80

1 of 10

How to check if your Linux WebServer is under a DoS attack | Walking in Light with Christ - Faith, Computing, Diary

litespeed 241931 nobody 17u IPv4 18372655 TCP server.pc-freak.net:http (LISTEN) litespeed 241931 nobody 25u IPv4 18372659 TCP 85.17.159.89:http (LISTEN) litespeed 241931 nobody 30u IPv4 29149647 TCP server.pcfreak.net:http->83.101.6.41:54565 (ESTABLISHED) litespeed 241931 nobody 33u IPv4 18372647 TCP 85.17.159.93:http (LISTEN) litespeed 241931 nobody 34u IPv4 29137514 TCP server.pcfreak.net:http->83.101.6.41:50885 (ESTABLISHED) litespeed 241931 nobody 35u IPv4 29137831 TCP server.pcfreak.net:http->83.101.6.41:52312 (ESTABLISHED) litespeed 241931 nobody 37w IPv4 29132085 TCP server.pcfreak.net:http->83.101.6.41:50000 (ESTABLISHED)

Another way to get an approximate number of established connections to let's say Apache or LiteSpeed webserver with lsof can be achieved like so:
linux:~# lsof -i TCP:80 |wc -l 2100

I find it handy to keep track of above lsof command output every few secs with gnu watch , like so:
linux:~# watch "lsof -i TCP:80"

2. How to Detect if a Linux server is under an ICMP SMURF attack ICMP attack is still heavily used, even though it's already old fashioned and there are plenty of other Denial of Service attack types, one of the quickest way to find out if a server is under an ICMP attack is through the command:
server:~# while :; do netstat -s| grep -i icmp | egrep 'received|sent' ; sleep 1; done 120026 ICMP messages received 1769507 ICMP messages sent 120026 ICMP messages received 1769507 ICMP messages sent

As you can see the above one liner in a loop would check for sent and recieved ICMP packets every few seconds, if there are big difference between in the output returned every few secs by above command, then obviously the server is under an ICMP attack and needs to hardened. 3. How to detect a SYN flood with netstat
linux:~# netstat -nap | grep SYN | wc -l 1032

1032 SYNs per second is quite a high number and except if the server is not serving let's say 5000 user requests per second, therefore as the above output reveals it's very likely the server is under attack, if however I get results like 100/200 SYNs, then obviously there is no SYN flood targetting the machine Another two netstat command application, which helps determining if a server is under a Denial of Service attacks are:
server:~# netstat -tuna |wc -l 10012

and
server:~# netstat -tun |wc -l 9606

Of course there also some other ways to check the count the IPs who sent SYN to the webserver, for example:
server:~# netstat -n | grep :80 | grep SYN |wc -l

2 of 10

How to check if your Linux WebServer is under a DoS attack | Walking in Light with Christ - Faith, Computing, Diary

In many cases of course the top or htop can be useful to find, if many processes of a certain type are hanging around. 4. Checking if UDP Denial of Service is targetting the server
server:~# netstat -nap | grep 'udp' | awk '{print $5}' | cut -d: -f1 | sort |uniq -c |sort -n

The above command will list information concerning possible UDP DoS. The command can easily be accustomed also to check for both possible TCP and UDP denial of service, like so:
server:~# netstat -nap | grep 'udp\|udp' | awk '{print $5}' | cut -d: -f1 | sort |uniq -c |sort -n 104 109.161.198.86 115 112.197.147.216 129 212.10.160.148 227 201.13.27.137 3148 91.121.85.220

If after getting an IP that has too many connections to the server and is almost certainly a DoS host you would like to filter this IP. You can use the /sbin/route command to filter it out, using route will probably be a better choice instead of iptables, as iptables would load up the CPU more than simply cutting the route to the server. Here is how I remove hosts to not be able to route packets to my server:
route add 110.92.0.55 reject

The above command would null route the access of IP 110.92.0.55 to my server. Later on to look up for a null routed IP to my host, I use:
route -n |grep -i 110.92.0.55

Well hopefully this should be enough to give a brief overview on how, one can dig in his server and find if he is under a Distributed Denial of Service, hope it's helpful to somebody out there. Cheers

s Repost

c Comments m Favorite

Share this on

StumbleUpon

Related Posts
How to Secure Apache on FreeBSD and CentOS against Range: header DoS attack (affecting Apache 1.3/2.x) How to harden Linux Security and imprpove network efficiency on Kernel sysctl Level How to Secure Apache on FreeBSD against Range header DoS vulnerability (affecting Apache 1.3/2.x)

3 of 10

How to check if your Linux WebServer is under a DoS attack | Walking in Light with Christ - Faith, Computing, Diary

Secure Apache against basic Denial of Service attacks with mod_evasive on Debian How to check the IP address of Skype (user / Contacts) on GNU / Linux with netstat and whois rkhunter, chkrootkit and unhide three Linux handy tools to find out if a Linux server is compromised Check and Restart Apache if it is malfunctioning (not returning HTML content) shell script How to fix imapd-ssl: Maximum connection limit reached for ::ffff:xxx.xxx.xxx.xxx imapd-ssl error Tags: apache webserver, approximate number, awk print, BSD, cmd, course, Denial, denial of service, denial of service attack, Detect, difference, dos attack, ESTABLISHED, freak, HTTP, ICMP, ips, Linux, linux server, linux webserver, litespeed, netstat, nobody, node, ntu, number, server pc, Service, sleep, statistics, SYN, SYNs, sys admins, terrible times, Watch 20th of July St. Elijah (Elias) feast in Bulgarian Orthodox Church / st. prophet Elias short Living Installing HTOP on CentOS 5.5 OpenVZ Linux server from source

DDoS Testing Service

www.redwolfsecurity.com

Denial of Service Testing #1 service since 2006

This entry was posted on Friday, July 22nd, 2011 at 12:17 am and is filed under Linux, System Administration. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

4 Responses to How to check if your Linux WebServer is under a DoS attack

1. admin says: July 22, 2011 at 12:31 am Another way to NULL ROUTE an IP address is via the command: /sbin/route add xxx.xxx.xxx.xxx gw 127.0.0.1 lo Cheers Reply 2. admin says: July 22, 2011 at 12:33 am Or another way to route an IP address is with: route add xxx.xxx.xxx.xxx 0.0.0.0 Im not sure which way is the best. Ill be glad if somebody clears it up for me and the readers Reply 3. Josh says: July 24, 2011 at 1:35 pm Great article! We use http://www.Jumpple.com to notify us of any change to our website , or if its down so this is useful after you get notified . Thx a lot! Josh.
4 of 10

How to check if your Linux WebServer is under a DoS attack | Walking in Light with Christ - Faith, Computing, Diary

Reply 4. How to check if your Linux server is under a DDoS attack June 1, 2013 at 12:26 pm

says:

[...] http://pc-freak.net/blog/how-to-check-if-your-linux-webserver-is-under-a-dos-attack/ [...] Reply

Leave a Reply
Name (required) Mail (will not be published) (required) Website

Search for:

GET FREE ARTICLE UPDATES

Enter your email address:

Daily Bible quote

If any man speak in an unknown tongue, let it be by two, or at the most by three, and that by course; and let one interpret. -- 1 Corinthians 14:27

Recent Posts
How to connect and import Oracle database structure on Linux terminal sqlplus / gqlplus

5 of 10

How to check if your Linux WebServer is under a DoS attack | Walking in Light with Christ - Faith, Computing, Diary

MySQL SSL Configure Howto How to Make MySQL communication secured How to store username and password permanently in Weblogic Application server boot.properties Windows Explorer (Open directory in command prompt preserving dir PATH) Add Dos Prompt Here feature via tiny registry tweak Russians Celebrate Christmas / Why some Orthodox Christians celebrate Nativity ( Christmas ) on 7th of January

Useful blog? Help it:

Similar Posts
How to check what process is listening on network port with: lsof & fuser commands in Linux / BSD How to check the IP address of Skype (user / Contacts) on GNU / Linux with netstat and whois How to check Host is up with Nagios for servers with disabled ICMP (ping) protocol Resolving nf_conntrack: table full, dropping packet. flood message in dmesg Linux kernel log How to disable ICMP ping protocol on Linux router with iptables to protect against ping Flood Denial of Service

Categories
Business Management (43) Christianity (157) Computer Security (69) Curious Facts (11) Entertainment (111) Everyday Life (347) Exim (4) Flash Player (2) FreeBSD (111) Games Linux (29) Gnome (15) Joomla (22) Linux (441) Linux and FreeBSD Desktop (249) Linux Audio & Video (76) Linux Backup tools (2)

6 of 10

How to check if your Linux WebServer is under a DoS attack | Walking in Light with Christ - Faith, Computing, Diary

Mac OS X (5) Mobile Phone Apps & Games (27) Movie Reviews (38) MySQL (35) Networking (1) News (9) PHP (1) Postfix (7) Programming (26) Qmail (35) Remote System Administration (3) Sendmail (2) SEO (28) Skype on Linux (15) System Administration (613) Uncategorized (9) Various (398) Web and CMS (129) Windows (85) Wine Windows Emulation (3) Wordpress (32)

Links to Other Places

Cheap Remote System Administration My ShellScripts Play Cool FreeBSD ASCII games Pc-Freak Security Pc-Freak Homepage exploit-db.com Linux Weekly News Online Computer Museum Hackles Computer Comics PacketStormSecurity Remote Exploit.Org January 2014 M T W T F S S 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 Dec

About Myself

7 of 10

How to check if your Linux WebServer is under a DoS attack | Walking in Light with Christ - Faith, Computing, Diary

Name: Georgi D. Georgiev, aka "hip0" Bio: I am a Free Software enthusiast, hobbyist and a unix geek. Presently my competences are into the field of System administration. I am also a devoted Orthodox Christian. I have deep interests into religion in general and in Christianity in particular. I am a big fan of all kind of Unix like systems like: GNU/Linux, FreeBSD, DOS and other various obscure computing. I'm also interested into philosophy and business administration. My hobbies include playing old arcade games, trips to a new places, preferably nature filled places, Mountain, Waterfalls, Woods etc. In my free time I also like watching movies: Mostly spiritual movies, or movies with a deeper meaning.Currently I am a student in Arnhem Business School in the stream of HRQM (Human Resources and Quality Management). Herein my blog you'll find mostly stuff about my unix/linux adventures, personal life, thoughts on life, religion, philosophy and art.

Recent Comments
psn code generator qui fonctionne on How to connect to WiFi network using console or terminal on GNU / Linux centre d'appel maroc telecom on Howto Remove (delist) your mail server IP from Hotmail, Live.com and MSN mail server blacklist Claus Heinrich on How to delete million of files on busy Linux servers (Work out Argument list too long) Leanna Pullings on Howto install Bible on Nokia 9300i (SymbianBible) admin on DOOM 1, DOOM 2, DOOM 3 game wad files for download / Playing Doom on Debian Linux via FreeDoom open source doom engine

Ads

8 of 10

How to check if your Linux WebServer is under a DoS attack | Walking in Light with Christ - Faith, Computing, Diary

Top Post Views

DOOM 1, DOOM 2, DOOM 3 game wad files for download / Playing Doom on Debian Linux via FreeDoom open source doom engine - 47,990 views Installing the phpbb forum on Debian (Squeeze/Sid) Linux - 19,304 views Howto Remove (delist) your mail server IP from Hotmail, Live.com and MSN mail server blacklist - 16,847 views Some of the most important Symbols for Orthodox Christians in The Eastern Orthodox Church Symbols in the Eastern Orthodox Christian Faith (Eastern Orthodox Symbolism) and Christian Symbolism in the ... - 12,805 views Resolving nf_conntrack: table full, dropping packet. flood message in dmesg Linux kernel log - 10,432 views How to change / reset lost or forgot TightVNC administrator password - 9,832 views How to connect to WiFi network using console or terminal on GNU / Linux - 9,595 views Drawing GANTT Charts and Project Management on Linux, (Microsoft Project substitute for Unix) - 9,585 views The importance of meta tags on web page SEO / Meta tags I use in webpage SEO - 9,005 views How to Benchmark your Apache Website with siege and Apache Benchmark (ab) on Linux and FreeBSD - 8,660 views

9 of 10

How to check if your Linux WebServer is under a DoS attack | Walking in Light with Christ - Faith, Computing, Diary

blogtopsites
Computers blogs

Listed on: link directory Walking in Light with Christ Faith, Computing, Diary is proudly powered by WordPress and Comments (RSS). Verbatim copying and distribution of this entire article is permitted in any medium, provided this notice is preserved. Copyright (C) 2012 by Georgi Georgiev

10 of 10