Server under DDOS attack – How to find out IPs?
My server is under DDOS attacks and I want to block the IP that is doing it, what logs should I be looking for to determine the attacker’s IP?
tail -n 10000 yourweblog.log|cut -f 1 -d ‘ ‘|sort|uniq -c|sort -nr|more
netstat -n|grep :80|cut -c 45-|cut -f 1 -d ‘:’|sort|uniq -c|sort -nr|more
cut -f 2 -d ‘”‘ yourweblog.log|cut -f 2 -d ‘ ‘|sort|uniq -c|sort -nr|more
cut -f 4 -d ‘”‘ yourweblog.log|sort|uniq -c|sort -nr|more
Check your Process and Connection Counts
ps auxw | grep httpd | wc -l
netstat -nap | grep “:80 ” | wc -l
netstat -ntu | grep “:80” | awk ‘{print $5}’| cut -d: -f1 | sort | uniq -c | sort -n |
grep -v 127.0.0.1 | awk ‘{if ($1 > 45) print $2;}’
Analyze the Requests
cat access_log | awk -F “”” ‘{printf “%sn”, $2}’ | sed -e ‘s/GET //’ | awk -F ” ” ‘{printf “%sn” ,$1}’ | sort | uniq -c | sort -n | awk ‘{if ($1 > 45) print $2;}’ | more
iptables -A INPUT -s 1.2.3.4 -j DROP
Credit : http://serverfault.com/questions/152139/server-under-ddos-attack-how-to-find-out-ips