How to find DDOS attack

by uday · Published January 21, 2017 · Updated March 10, 2017

Hello.

Do you want to find high traffic site? DDOS attacks?. I hope this guide will help you.

How to find DDOS attack

How to find ?

Find high traffic sites ( in cpanel ).

wget -q -O /tmp/acces http://127.0.0.1/whm-server-status

cat /tmp/acces |awk '$0 ~/nowrap/ {print $0}'|awk -F "</td><td nowrap>" '{print $2}' | sort | uniq -c | sort -n

Check multiple ports for DDOS

for i in  21 25 22 80 110 143 993
do
 echo "Port $i: "
 netstat -tan | grep ":$i " | awk '{print $6}' | sort | uniq -c
done;

for i in 21 25 22 80 110 143 993
do  
  echo -n "Port $i: ";
  netstat -plant  | grep ":$i" | wc -l;
  echo -n "Port $i ( esta ): ";
  netstat -plant  | grep ":$i" | grep -i esta | wc -l;
  echo -n "Port $i ( time_wait ): ";
  netstat -plant  | grep ":$i" | grep -i time_wait | wc -l;
  echo -n "Port $i ( syn ): ";
  netstat -plant  | grep ":$i" | grep -i syn | wc -l ;
done

Get a list of all IPs accessing 80 ( ESTABLISHED, SYN and TIME_WAIT )

netstat -plan|grep :80|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -nk 1

Get a list of all IPs accessing any port ( ESTABLISHED, SYN and TIME_WAIT )

netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

Get a list of all IPs which have established a connection ( ESTABLISHED ) to port 80

netstat -plan |grep :80 | grep -i esta | awk '{print $5}' |cut -d: -f1 |sort |uniq -c |sort -n

Get a list of all IPs which are trying to establish a connection ( SYN ) to port 80

netstat -plan |grep :80 | grep -i syn | awk '{print $5}' |cut -d: -f1 |sort |uniq -c |sort -n

Count the number of accesses to port 80

netstat -plan |grep :80 | wc -l

Find to which IP address in the server is targeted by the ddos attack

netstat -plan| grep :80| awk {'print $4'} | cut -d: -f1|sort|uniq -c|sort -n

Find from which IPs, the attack is coming

netstat -plan | grep  :80 | awk {'print $5'} | cut -d: -f1 |sort |uniq -c|sort -n

Hourly hits from apache logs

awk '{print $4,$5}' /var/log/httpd/access_log  | cut -d: -f1,2 | sort | uniq -c

Checking RIF

find /var/www/vhosts/ -type f -maxdepth 4 -mindepth 4 -iname access_log.processed -exec awk ' $7 ~ /?/ && $7 ~ /http/ {print $1" "$4" "$7" "FILENAME}' {} \;

Get the count of domains having high access

Copy the contents that you see in WHM > Apache Status to /tmp/file

cat /tmp/file | awk '{print $12}' | sort | uniq -c | sort -n

How to find DDOS attack

You may also like...

Leave a Reply Cancel reply

Recent Posts

How to find DDOS attack

You may also like...

Server load monitoring script

Raid health check script using MegaCli

Script to increase the limit of login failure block

Leave a Reply Cancel reply

Recent Posts