A quick and useful command for checking if a server is under DDOS:

netstat -anp |grep ‘tcp\|udp’ | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n

or

netstat -anp |grep :80 | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n

This will list the IPs taking the most connections. It is important to remember that DDOS is becoming more sophisticated and they are using fewer connections with more attacking ips. If this is the case you will still get low number of connections even while you are under a DDOS.

Another very important thing to look at is how many active connections your server is currently processing.

netstat -n | grep :80 |wc -l

netstat -n | grep :80 | grep SYN |wc -l

The first command will show the number of active connections that are open to your web server. The number of active connections from the first command is may vary but if you are much above 500 you are probably having problems. If the second command is over 100 you are having trouble with a syn attack.

Block the IPs by adding the offending IP to your firewall or by using iptables command and restart iptables.

iptables -A INPUT 1 -s IPADRESS -j DROP/REJECT

service iptables restart

service iptables save

Then restart your web server.

/etc/init.d/httpd restart

here’s a small bash script so that you can send the list to your email. Create a file ddos-check and add the following:

#!/bin/bash
dt=`date ‘+%m-%d-%y’`
host=`hostname`
netstat -anp |grep :80 | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n | mail -s “Netstat $host” your_email@address.com