Home » Articles and guides » Helpful command reference

Quick check for a ddos via number of connections

Posted December 15th, 2005 by eth00

A quick and usefull command for checking if a server is under ddos is:

netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

That will list the IPs taking the most amount of connections to a server. It is important to remember that the ddos is becoming more sophistcated and they are using fewer connections with more attacking ips. If this is the case you will still get low number of connections even while you are under a DDOS.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Can you explain the output a

On January 27th, 2006 erick_p says:

Can you explain the output a bit more? I get something like this:

8 24.140.99.156
10 65.25.8.66
14 207.58.180.195
15 68.5.31.41
16 71.252.112.226
18 82.182.78.219
44 0.0.0.0

Who is the "0.0.0.0" -- it has 44 connections?!

Also is it possible to list the total number of connections at the end?

Thanks.

Don't understand these

On November 4th, 2006 sabaote says:

Don't understand these 0.0.0.0 also

What 0.0.0.0 means

On November 16th, 2006 N3m3siZ says:

What 0.0.0.0 means is the local services to understand me abit more do the following:
netstat -anp | grep 0.0.0.0

Linux RulZ aLL

0.0.0.0

On November 19th, 2006 eth00 says:

That means it is listening on all ips

get more from awk

On September 7th, 2007 hackman says:

You can simply remove grep and cut as awk can do all the work you want:
netstat -anp |awk '/tcp|udp/{gsub(/:.*/,"",$5);print $5}'|sort|uniq -c|sort

-------------------------------------------
One Planet, One Internet!
We Are All Connected!

Powered by Drupal - Theme created by Danger4k