How to Verify DDOS Attack with Netstat Command in Linux

How you identify that your under DDos Attack? There can be several reasons why your server is performing slow or high CPU usage. There can be misconfiguration in code, scripts or cheap hardware. But sometimes it could be due to DDos attack on your server or network DoS ( Denial of Service ) or DDoS ( Distributed Denial of Service ).

What will be the countermeasures to prevent DDos attack?

There are two ways which we can use it to stop or migrate the attack.

  • Load Balancing
  • Throttling

What is Load Balancing?

It can be stopped if your bandwidth providers increase there bandwidth usage in case of a DDos attack to prevent your servers from going down.

What is Throttling?

Min-max fair server-centric router throttle can be used to prevent the servers from going down. This method enables the routers in managing heavy incoming traffic so that the server can handle it. It can be used to filter legitimate user traffic from fake DDos attack traffic.

There are many ways to identify that your under DDos attack other-then netstat command.

For example: You can use Wireshark and observe the SYN packets.

For this tutorial we’re gonna use netstat command which works on Linux/Windows/Mac you can use these commands on nearly every operating system.

  • For Windows you need command prompt (CMD).
  • For Linux/Mac you need terminal.

Netstat MAN:

root@thehackertoday 028
netstat -na

This display all active Internet connections to the server and only established connections are included.

netstat -an | grep :80 | sort

Show only active Internet connections to the server on port 80, this is the http port and so it’s useful if you have a web server, and sort the results. Useful in detecting a single flood by allowing you to recognize many connections coming from one IP.

netstat -n -p|grep SYN_REC | wc -l

This command is useful to find out how many active SYNC_REC are occurring on the server. The number should be pretty low, preferably less than 5. On DoS attack incidents or mail bombs, the number can jump to pretty high. However, the value always depends on system, so a high value may be average on another server.

netstat -n -p | grep SYN_REC | sort -u

List out the all IP addresses involved instead of just count.

netstat -n -p | grep SYN_REC | awk ‘{print $5}’ | awk -F: ‘{print $1}’

List all the unique IP addresses of the node that are sending SYN_REC connection status.

netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n

Use netstat command to calculate and count the number of connections each IP address makes to the server.

netstat -anp |grep ‘tcp|udp’ | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n

List count of number of connections the IPs are connected to the server using TCP or UDP protocol.

netstat -ntu | grep ESTAB | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -nr

Check on ESTABLISHED connections instead of all connections, and displays the connections count for each IP.

netstat -plan|grep :80|awk {‘print $5’}|cut -d: -f 1|sort|uniq -c|sort -nk 1

Show and list IP address and its connection count that connect to port 80 on the server. Port 80 is used mainly by HTTP web page request.

Using these commands you will be able to identify the IP Address from where the DDos is coming from, So how we can prevent it?

We have two options:

  • Load Balancing
  • Throttling

We can use Load Balancing method to prevent this attack but most of the time our host will not provide more bandwidth to counter this attack, but you can give it a try to prevent your site to be crash and later you can fix this issue with your script or memory leak or hiding your Server IP Address.

How to protect your Server IP Address by Cloud-flare integration?

CloudFlare is free Basic CDN service which is quite good, It helps your websites load perfectly and handle some CPU load. It also prevent DDos attacks on your Website through masking your real server IP Address. I will recommend everyone to use CloudFlare and prevent DDos attacks and safe bandwidth.

Okay now we have another option which is Throttling right? This migrate tutorial is for Linux only.

How to migrate DDos Attack after you identify it?

Once you have identify the IP Address from where the DDos is happening we can migrate to countermeasure this attack and block the IP Address.

To do that:


Please note that you have to replace $IPADRESS with the IP numbers that you have found with netstat. After firing the above command, KILL all httpd connections to clean your system and than restart httpd service by
using the following commands:

killall -KILL httpd
service httpd start #For Red Hat systems
/etc/init/d/apache2 restart #For Debian systems

Tags: , ,