Am I getting DDoSed, and what should I about it?

linux debian ddos

Solution 1:

  • netstat print network connections
  • -n show numerical address
  • grep :80 filter connections connect to port 80
  • cut -c 45- get only 4th and 5th column
  • cut -d: -f1 take the first field separate by colon
  • sort | uniq -c sort by IP address and count the numbers of unique IP
  • sort -rn reverse the numerical sort

You can use awk instead of cut -c 45- to get the 5th column only:

netstat -n | grep :80 | awk '{ print $5 }' | cut -d: -f1 | sort | uniq -c | sort -rn | head

About your result, it seems normal, no DDoS. Take a look at access_log for more details.

Solution 2:

Quanta & DTest explained what the command does. Everyone will tell you that a few hundred connections does not a DoS make (talk to me when you have at least 5-10 thousand), and I'll expand on that by saying that in order for it to be a DDos you'd be seeing a lot more entries (probably with a lot more connections each) than what you're showing above.

When you have a problem with a server DO NOT jump to the exotic causes (DDoS, Cosmic Rays, Z0MG H4X0R3D!, etc.) -- Chances are you have a far more boring and mundane problem.

You say "it crashes" -- do you mean the whole server locks up, panics or otherwise requires a hard reboot?
If so, check your RAM (MemTest86+ or similar). That's usually the issue.

If it's not a real, hard crash start looking at the normal mundane troubleshooting items:

  • Run top
    • What is the load average? What is it when you have a problem?
    • How much swap are you using? Are you using more when you have a problem? (If so, memory leak!)
    • What programs are trying to get on the CPU?
  • Run your operating system's disk I/O information tools (Not a Debian guy, maybe someone can list 'em?)
    • Are you disk bound? (is the disk constantly using 100% of its bandwidth?)
  • Look at your network statistics
    • Are you hitting a bandwidth cap from your ISP?
  • Look at your ancillary programs, if applicable
    • Database Connections
    • Shared File Systems
    • Any other resource that may be locked/blocking when you need it

Solution 3:

The number is the number of unique entries for each ip (generated by uniq -c)

netstat -n will give you all the current network traffic, which you then pipe to grep :80, which only grabs connections on your web server. Next we cut out the leading part of the line with cut -c 45-, and then everything after the IP (starting at the colon) with cut -f 1 -d ':' then we sort it, get the unique IPs with a count (uniq -c) and then sort it in reverse order so the most IPs appear at the top.

This doesn't necessarily mean you are getting DDoS'd because the majority of traffic is coming from a single IP. Someone might be crawling your site for content or some other reason.

Related

How to block Skype using Squid?
Linux EC2 Instance Security Consideration
Windows 2003 DC to Windows 2008 R2 DC with same name and same IP
Apache Dynamic Virtual Host with SSL [duplicate]
Using iptables to redirect incoming requests from port 2525 to port 25?
Exim: how to deliver locally and send a copy to another server
Two NICs, one server
Why does my SSH passphrase work with `plink` and not `ssh`?
Is it possible to have regular-expression CNAME record in DNS?
How to have a certificate which works with both example.com and subdomain.example.com in IIS?
Windows Server 2012 R2 Essentials unable to install using .com, etc. domain suffix
Understanding: cloud-server, cloud-hosting, cloud-computing, the cloud [closed]