Identify a DoS/DDoS Attack

Clara - VPS Hosting Team

If your server is performing slowly, it could be due to several factors, such as inefficient scripts. However, it might also be under a Denial of Service (DoS) or Distributed Denial of Service (DDoS) attack, where traffic is intentionally flooded into your server. Alternatively, your server may be part of a botnet, used to target other networks. In such cases, running precautionary scans with tools like ClamAV and RootKit Hunter is highly recommended.

Additionally, every time a client connects to your server, a connection is established. On a high-traffic server, this can result in hundreds or even thousands of active connections. To check and list the current connections on your server, use the following helpful netstat commands to determine whether your server is under attack or involved in one:

netstat -na

This command lists all active Internet connections to the server, including only established connections.

netstat -an | grep :80 | sort

Filters the active connections to port 80 and sorts the results. This can help identify a flood of connections from a single IP address.

netstat -n -p | grep SYN_RECV | wc -l

Displays the number of active SYN_RECV connections. A low number (ideally below 5) is normal, but higher values could indicate a DoS attack or mail bomb.

netstat -n -p | grep SYN_RECV | sort -u

Lists all unique IP addresses involved in SYN_RECV connections.

netstat -n -p | grep SYN_RECV | awk '{print $5}' | awk -F: '{print $1}'

Displays unique IP addresses sending SYN_RECV connection statuses.

netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

Counts the number of connections from each IP address on the server.

netstat -anp | grep 'tcp|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

Shows the number of connections from each IP address using either the TCP or UDP protocol.

netstat -ntu | grep ESTAB | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr

Focuses on established connections and sorts them by the number of connections for each IP address.

netstat -plan | grep :80 | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nk 1

Lists the IP addresses and the number of connections made to port 80 (used by HTTP).

These commands can help you monitor and identify unusual patterns in server traffic, allowing you to determine if you're experiencing an attack or if your server is compromised.