Server under DDOS attack – How to find out IPs?

Leave a comment

My server is under DDOS attacks and I want to block the IP that is doing it, what logs should I be looking for to determine the attacker’s IP?

tail -n 10000 yourweblog.log|cut -f 1 -d ‘ ‘|sort|uniq -c|sort -nr|more


netstat -n|grep :80|cut -c 45-|cut -f 1 -d ‘:’|sort|uniq -c|sort -nr|more

cut -f 2 -d ‘”‘ yourweblog.log|cut -f 2 -d ‘ ‘|sort|uniq -c|sort -nr|more

cut -f 4 -d ‘”‘ yourweblog.log|sort|uniq -c|sort -nr|more


Check your Process and Connection Counts

ps auxw | grep httpd | wc -l

netstat -nap | grep “:80 ” | wc -l

netstat -ntu | grep “:80” | awk ‘{print $5}’| cut -d: -f1 | sort | uniq -c | sort -n |
grep -v 127.0.0.1 | awk ‘{if ($1 > 45) print $2;}’

Analyze the Requests

cat access_log | awk -F “”” ‘{printf “%sn”, $2}’ | sed -e ‘s/GET //’ | awk -F ” ” ‘{printf “%sn” ,$1}’ | sort | uniq -c | sort -n | awk ‘{if ($1 > 45) print $2;}’ | more

iptables -A INPUT -s 1.2.3.4 -j DROP

Credit : http://serverfault.com/questions/152139/server-under-ddos-attack-how-to-find-out-ips

tagged with , , ,

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.