This article mainly introduced the Linux system adopt the method of the netstat command view DDOS attacks, for network security is very important! Need a friend can under reference

Linux system with netstat command to see DDOS attack specific command usage is as follows:

code is as follows:


netstat na

display all active network connection to connect to the server

code is as follows:


netstat - an | grep: 80 | sort

show only the mouth connected to 80 segments of active network connections, HTTP port 80 is, this is very useful for a web server, and sort the results. Pick a single connection for you from many flood attacks is very useful IP

code is as follows:


netstat - n - p | grep SYN_REC | wc -l

this command is useful for active on the server to identify SYNC_REC, quantity should be very low, it is best to less than 5.
in the DOS attack and mail bombs, this number can be very high. However, the value usually depends on the system, so the high values may share to another server.

code is as follows:


netstat - n - p | grep SYN_REC | sort -u

list all contain the IP address of the rather than just counting.

code is as follows:


netstat - n - p | grep SYN_REC | awk '{print $5}' | awk - F: '{print $1}

list all the IP address of the different node sends SYN_REC connection status

code is as follows:


netstat ntu | awk '{print $5}' | the cut - d: - | f1 sort | uniq -c | sort - n

use netstat command to calculate each IP address, the number of connections to the server

code is as follows:


netstat anp | grep 'TCP | udp | awk' {print $5} '| the cut - d: - | f1 sort | uniq -c | sort - n

the number of the list to connect to the server using TCP and udp

code is as follows:


netstat ntu | grep ESTAB | awk '{print $5}' | the cut - d: - | f1 sort | uniq -c | sort - nr

check instead of all the connections ESTABLISHED connections, this can each IP connections

code is as follows:


netstat - plan | grep: 80 | awk {} 'print $5' | : cut - d - 1 f | sort | uniq -c | sort - nk 1

display and lists the IP addresses to connect to the port 80 and the number of connections. 80 is used as a HTTP
how to ease the ddos attack

when you found the IP of your server you can use the following command to shut down their connections:

code is as follows:


iptables -a INPUT 1 - s $IPADRESS -j DROP/REJECT

please note that you must use your use netstat command to find the IP number of the replacement $IPADRESS


This concludes the body part