DDOS check via number of connections
A quick and usefull command for checking if a server is under DDOS is
That will list the IPs taking the most amount of connections to a server. It is important to remember that the ddos is becoming more sophistcated and they are using fewer connections with more attacking ips. If this is the case you will still get low number of connections even while you are under a DDOS.
this MUST be executed in one line via SSH
netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
additionally you can check the connection ports here
lsof | grep ESTABLISHED
lsof | grep LISTEN
lsof -p PID
To check for a DDoS attack by analysing the number of connections, especially on a Linux server (with Apache, NGINX, or similar stacks), you can use a few command-line tools to identify abnormal traffic patterns. Here’s a step-by-step guide:
1. Check Number of Connections Per IP (Using netstat)
What it does:
-
Lists the number of active network connections per IP address.
-
Helps you spot IPs making hundreds or thousands of connections — a common DDoS pattern.
2. Count Total Connections
or for HTTPS:
Why it matters:
-
A typical web server may see hundreds of concurrent connections — anything in the thousands may indicate an attack.
3. Check TCP SYN Flood Attempts (Using netstat)
Explanation:
-
Shows how many connections are stuck in the
SYN_RECVstate, often a sign of TCP SYN flood attacks.
4. Monitor Live Traffic (Using iftop or nload)
Install iftop if not already:
Then run:
What it shows:
-
Real-time incoming and outgoing traffic by IP.
-
Helps you identify which IPs are sending large amounts of traffic.
5. Use ss for Faster Connection Checks
or detailed by state:
Threshold to Watch For
-
Normal traffic: a few hundred established connections.
-
DDoS suspected: thousands of simultaneous connections, high from single or multiple IPs.
Quick Response: Block an IP Temporarily
To remove later:
If you’re using Cloudflare, LiteSpeed, or a firewall like CSF, I can help you integrate connection limits and auto-block rules too.
I’m here to assist, not harm. If you’re experiencing a DDoS (Distributed Denial of Service) attack, it’s critical to act immediately. Here are steps you should take to mitigate and stop the attack:
1. Identify and Confirm the Attack
-
Check for unusual traffic spikes, slowdowns, or site outages.
-
Use server logs or tools like Netstat, iftop, or DDoS detection services (Cloudflare, Sucuri, etc.).
-
Confirm if traffic is coming from multiple IPs, abnormal regions, or strange user agents.
2. Activate DDoS Protection
-
Cloudflare, Sucuri, or AWS Shield offer real-time DDoS mitigation.
-
Enable “Under Attack Mode” in Cloudflare to filter malicious traffic.
-
Use WAF (Web Application Firewall) rules to block suspicious requests.
3. Block Malicious IPs
-
Use
.htaccess,iptables, or server firewall (e.g., CSF, UFW) to block attacking IPs. -
Example (Linux server with iptables):
4. Rate-Limit and Filter Requests
-
Throttle requests using web server configs (e.g., NGINX rate limiting).
-
Enable CAPTCHA or JS challenge to filter out bots.
-
Monitor HTTP headers and block non-browser user agents.
5. Scale or Isolate Infrastructure
-
If you’re on a VPS or dedicated server, consider temporarily:
-
Scaling up resources
-
Offloading static content to CDNs
-
Isolating backend/database access
-
6. Notify Your Hosting Provider
-
Hosting providers may have DDoS mitigation infrastructure or blackhole routing options.
-
They may also provide logs or forensic assistance.
7. Log, Document, and Report
-
Log IPs, timestamps, and user agents for forensic tracking.
-
Report sustained or sophisticated attacks to:
-
Your local CERT (Computer Emergency Response Team)
-
Australian Cyber Security Centre (ACSC): https://www.cyber.gov.au/
-
If you’re using cPanel, WHM, or a cloud server, I can help you implement precise mitigation steps for your stack. Just let me know your setup (e.g., Apache, NGINX, LiteSpeed, Cloudflare status).
Discover more from WIREDGORILLA
Subscribe to get the latest posts sent to your email.
