A Distributed Denial of Service (DDoS) attack overwhelms your server with excessive traffic, causing it to become unavailable for genuine users. If your Linux server experiences high load, slow performance, or downtime, it could be a sign of a DDoS attack.
Here’s how to check if your Linux server is under a DDoS attack.
- Check Active Connections:
A key sign of a DDoS attack is an unusually high number of active connections. To check this, use the following command to see how many active connections exist on port 80 (the HTTP port):netstat -n | grep :80 | wc -l
This command will display the number of active connections. If the number is unusually high, it may indicate an attack. - Check SYN Flood Attack:
A SYN flood is a type of DDoS attack where attackers initiate connections to your server but do not complete the handshake process, causing your server to become overwhelmed. Use the following command to check for SYN connections:netstat -n | grep :80 | grep SYN | wc -l
If the result shows a large number of SYN connections (typically above 100), your server might be experiencing a SYN flood attack. - Identify IP Addresses with Maximum Connections
To determine if certain IP addresses are making excessive connections to your server, use this command:netstat -anp | grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
This will display a list of IP addresses with the number of connections they are making to your server. If you notice an IP address with an unusually high number of connections, it may be the source of the attack. - Block Suspicious IP Addresses:
- Once you have identified an IP address that is making an excessive number of connections, you can block it using the following command:
route add <IP address> reject
- For example, to block the IP address 192.168.0.1, the command would be:
route add 192.168.0.1 reject
- You can verify if the IP address is blocked by running:
route -n | grep <IP address>
- Alternatively, you can use iptables to block an IP address:
iptables -A INPUT -s <IP address> -j DROP
service iptables restart
service iptables save
- Once you have identified an IP address that is making an excessive number of connections, you can block it using the following command:
- Restart the Web Server:
After blocking malicious IP addresses, restart the webserver to clear existing connections and allow normal traffic.killall -KILL httpd
service httpd start - Monitor for Further Attacks:
Keep monitoring your server by regularly checking the active connections and identifying any abnormal patterns. DDoS attacks may occur in waves, so continuous vigilance is necessary.
In this way, you can check if your Linux Server is under a DDOS attack or not.
Also, check our Cloud Services Today!