How to find DDOS attack

by uday · Published January 21, 2017 · Updated March 10, 2017

Hello.

Do you want to find high traffic site? DDOS attacks?. I hope this guide will help you.

How to find DDOS attack

How to find ?

Find high traffic sites ( in cpanel ).

wget -q -O /tmp/acces http://127.0.0.1/whm-server-status

cat /tmp/acces |awk '$0 ~/nowrap/ {print $0}'|awk -F "</td><td nowrap>" '{print $2}' | sort | uniq -c | sort -n

Check multiple ports for DDOS

for i in  21 25 22 80 110 143 993
do
 echo "Port $i: "
 netstat -tan | grep ":$i " | awk '{print $6}' | sort | uniq -c
done;

for i in 21 25 22 80 110 143 993
do  
  echo -n "Port $i: ";
  netstat -plant  | grep ":$i" | wc -l;
  echo -n "Port $i ( esta ): ";
  netstat -plant  | grep ":$i" | grep -i esta | wc -l;
  echo -n "Port $i ( time_wait ): ";
  netstat -plant  | grep ":$i" | grep -i time_wait | wc -l;
  echo -n "Port $i ( syn ): ";
  netstat -plant  | grep ":$i" | grep -i syn | wc -l ;
done

Get a list of all IPs accessing 80 ( ESTABLISHED, SYN and TIME_WAIT )

netstat -plan|grep :80|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -nk 1

Get a list of all IPs accessing any port ( ESTABLISHED, SYN and TIME_WAIT )

netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

Get a list of all IPs which have established a connection ( ESTABLISHED ) to port 80

netstat -plan |grep :80 | grep -i esta | awk '{print $5}' |cut -d: -f1 |sort |uniq -c |sort -n

Get a list of all IPs which are trying to establish a connection ( SYN ) to port 80

netstat -plan |grep :80 | grep -i syn | awk '{print $5}' |cut -d: -f1 |sort |uniq -c |sort -n

Count the number of accesses to port 80

netstat -plan |grep :80 | wc -l

Find to which IP address in the server is targeted by the ddos attack

netstat -plan| grep :80| awk {'print $4'} | cut -d: -f1|sort|uniq -c|sort -n

Find from which IPs, the attack is coming

netstat -plan | grep  :80 | awk {'print $5'} | cut -d: -f1 |sort |uniq -c|sort -n

Hourly hits from apache logs

awk '{print $4,$5}' /var/log/httpd/access_log  | cut -d: -f1,2 | sort | uniq -c

Checking RIF

find /var/www/vhosts/ -type f -maxdepth 4 -mindepth 4 -iname access_log.processed -exec awk ' $7 ~ /?/ && $7 ~ /http/ {print $1" "$4" "$7" "FILENAME}' {} \;

Get the count of domains having high access

Copy the contents that you see in WHM > Apache Status to /tmp/file

cat /tmp/file | awk '{print $12}' | sort | uniq -c | sort -n

How to find DDOS attack

You may also like...

Leave a Reply Cancel reply

Recent Posts

How to find DDOS attack

You may also like...

Bash script to restart Apache automatically

Backup script for files and database

letsencrypt-auto renew script

Leave a Reply Cancel reply

Recent Posts