Am I getting DDoSed, and what should I about it?
Solution 1:
-
netstat
print network connections -
-n
show numerical address -
grep :80
filter connections connect to port 80 -
cut -c 45-
get only 4th and 5th column -
cut -d: -f1
take the first field separate by colon -
sort | uniq -c
sort by IP address and count the numbers of unique IP -
sort -rn
reverse the numerical sort
You can use awk
instead of cut -c 45-
to get the 5th column only:
netstat -n | grep :80 | awk '{ print $5 }' | cut -d: -f1 | sort | uniq -c | sort -rn | head
About your result, it seems normal, no DDoS. Take a look at access_log
for more details.
Solution 2:
Quanta & DTest explained what the command does. Everyone will tell you that a few hundred connections does not a DoS make (talk to me when you have at least 5-10 thousand), and I'll expand on that by saying that in order for it to be a DDos you'd be seeing a lot more entries (probably with a lot more connections each) than what you're showing above.
When you have a problem with a server DO NOT jump to the exotic causes (DDoS, Cosmic Rays, Z0MG H4X0R3D!, etc.) -- Chances are you have a far more boring and mundane problem.
You say "it crashes" -- do you mean the whole server locks up, panics or otherwise requires a hard reboot?
If so, check your RAM (MemTest86+ or similar). That's usually the issue.
If it's not a real, hard crash start looking at the normal mundane troubleshooting items:
- Run
top
- What is the load average? What is it when you have a problem?
- How much swap are you using? Are you using more when you have a problem? (If so, memory leak!)
- What programs are trying to get on the CPU?
- Run your operating system's disk I/O information tools (Not a Debian guy, maybe someone can list 'em?)
- Are you disk bound? (is the disk constantly using 100% of its bandwidth?)
- Look at your network statistics
- Are you hitting a bandwidth cap from your ISP?
- Look at your ancillary programs, if applicable
- Database Connections
- Shared File Systems
- Any other resource that may be locked/blocking when you need it
Solution 3:
The number is the number of unique entries for each ip (generated by uniq -c
)
netstat -n
will give you all the current network traffic, which you then pipe to grep :80
, which only grabs connections on your web server. Next we cut out the leading part of the line with cut -c 45-
, and then everything after the IP (starting at the colon) with cut -f 1 -d ':'
then we sort it, get the unique IPs with a count (uniq -c
) and then sort it in reverse order so the most IPs appear at the top.
This doesn't necessarily mean you are getting DDoS'd because the majority of traffic is coming from a single IP. Someone might be crawling your site for content or some other reason.