Probable DDoS attack

[BookMarc]

Hello,

cPanel admin said my server is probably under DDoS attack.

It used the following command line to find many SYN_FLOOD

Code: Select all

root@host [~]# netstat -an|grep :80|grep SYN|awk {'print $5'}|cut -d: -f 1|sort|uniq -c | grep -v "1 "
      5 106.67.111.131
      5 175.143.154.42
      2 197.232.245.42
      3 202.69.15.64
      5 208.54.39.240
      2 216.123.13.109
      5 76.171.160.2
      5 92.97.47.199

and we used the following command line to see 50++ connections to from many IPs

Code: Select all

root@host [~]# netstat -ntu | grep :80| awk '{print $5}' | sed 's/::ffff://' | cut -d: -f1 | sort | uniq -c | sort -n
 ------- SNIPPNED  ------- 
     51 151.102.241.101
     51 50.180.250.69
     55 106.51.26.35
     55 45.36.230.236
     55 74.117.68.162
     57 49.151.152.240
     58 74.94.83.121
     61 122.15.156.138
     62 104.156.81.134
     77 122.174.131.247
     97 107.167.113.147
    204 1.39.33.85
    235 68.170.22.100

I am stumbled and could use help.

Regards,
BookMarc

[Elizine]

Here's the answer to your query -
To see what Ips are connecting to server and how many connections exist from each IP:

Code: Select all

netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

To see how many connections each IP on the server is receiving:

Code: Select all

netstat -plan |grep :80 | awk '{print $4}' | cut -d: -f1 | sort | uniq -c | sort -n

Get the count of current Active connections to Apache:

Code: Select all

netstat -apn | grep :80 | wc -l