How to find DDOS attack
Hello.
Do you want to find high traffic site? DDOS attacks?. I hope this guide will help you.
How to find DDOS attack
How to find ?
Find high traffic sites ( in cpanel ).
wget -q -O /tmp/acces http://127.0.0.1/whm-server-status cat /tmp/acces |awk '$0 ~/nowrap/ {print $0}'|awk -F "</td><td nowrap>" '{print $2}' | sort | uniq -c | sort -n
Check multiple ports for DDOS
for i in 21 25 22 80 110 143 993 do echo "Port $i: " netstat -tan | grep ":$i " | awk '{print $6}' | sort | uniq -c done; for i in 21 25 22 80 110 143 993 do echo -n "Port $i: "; netstat -plant | grep ":$i" | wc -l; echo -n "Port $i ( esta ): "; netstat -plant | grep ":$i" | grep -i esta | wc -l; echo -n "Port $i ( time_wait ): "; netstat -plant | grep ":$i" | grep -i time_wait | wc -l; echo -n "Port $i ( syn ): "; netstat -plant | grep ":$i" | grep -i syn | wc -l ; done
Get a list of all IPs accessing 80 ( ESTABLISHED, SYN and TIME_WAIT )
netstat -plan|grep :80|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -nk 1
Get a list of all IPs accessing any port ( ESTABLISHED, SYN and TIME_WAIT )
netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
Get a list of all IPs which have established a connection ( ESTABLISHED ) to port 80
netstat -plan |grep :80 | grep -i esta | awk '{print $5}' |cut -d: -f1 |sort |uniq -c |sort -n
Get a list of all IPs which are trying to establish a connection ( SYN ) to port 80
netstat -plan |grep :80 | grep -i syn | awk '{print $5}' |cut -d: -f1 |sort |uniq -c |sort -n
Count the number of accesses to port 80
netstat -plan |grep :80 | wc -l
Find to which IP address in the server is targeted by the ddos attack
netstat -plan| grep :80| awk {'print $4'} | cut -d: -f1|sort|uniq -c|sort -n
Find from which IPs, the attack is coming
netstat -plan | grep :80 | awk {'print $5'} | cut -d: -f1 |sort |uniq -c|sort -n
Hourly hits from apache logs
awk '{print $4,$5}' /var/log/httpd/access_log | cut -d: -f1,2 | sort | uniq -c
Checking RIF
find /var/www/vhosts/ -type f -maxdepth 4 -mindepth 4 -iname access_log.processed -exec awk ' $7 ~ /?/ && $7 ~ /http/ {print $1" "$4" "$7" "FILENAME}' {} \;
Get the count of domains having high access
Copy the contents that you see in WHM > Apache Status to /tmp/file
cat /tmp/file | awk '{print $12}' | sort | uniq -c | sort -n
