Finding hosts which opens N+ TCP connections probably a DDoS attack
It is good to learn all the ip addresses which holds N+ tcp connection to your server. For example, if we want to list ip addresses and connection counts of hosts which has 25+ connection right now:
netstat -n --tcp --udp --numeric-hosts | \
grep -v 127.0.0.1 | \
awk '{if (/(tcp|udp)/) { print $5 }}' | \
sed 's/:.*//' | \
sort | \
uniq -c | \
sort -n | \
awk '{if ($1 > 25) {print "Count: "$1"\t"$2; }}'
and here is an example output:
Count: 26 92.80.103.61
Count: 27 77.246.104.149
Count: 35 88.232.169.103
Count: 44 88.226.7.150
If we want to list only the ip addresses, not the counter, change the last line as below:
awk '{if ($1 > 25) {print $2; }}'
- 0 Comment
- Murat Demirten
- 10 Apr 2008, 18:59
-
You must be login first or sign-up for an account to post comments.
Maybe you should look at these also:
USERBOX
CATEGORIES
MOST READ TODAY
- Enabling remote desktop on a VirtualBox Machine
- Syntax highlighting in less
- Redirecting tcp / udp ports with socat
- XFS Filesystem has duplicate UUID problem
- Passwordless sudo setup
- Disabling reverse dns lookups in ssh
- dropbear rsa key problem
- Multi-conditional search and replace (clearing a ftp trojan script example)
- Deleting A File By It's Inode Value
- Routing packets back from incoming interface
LAST ADDED
- Using iPhone internet sharing over bluetooth under Linux
- Using USB sound card with amarok
- Multi-conditional search and replace (clearing a ftp trojan script example)
- Disabling ipv6 functionality
- How to convert a mp3 file
- How to choose the fastest Debian mirror
- Disabling reverse dns lookups in ssh
- Rewriting destination ip address
- Deleting A File By It's Inode Value
- Learning which libraries are used for a binary
