DDOS check via number of connections

ddos

DDOS check via number of connections

A quick and usefull command for checking if a server is under DDOS is

That will list the IPs taking the most amount of connections to a server. It is important to remember that the ddos is becoming more sophistcated and they are using fewer connections with more attacking ips. If this is the case you will still get low number of connections even while you are under a DDOS.

this MUST be executed in one line via SSH

netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

additionally you can check the connection ports here

lsof | grep ESTABLISHED
lsof | grep LISTEN

lsof -p PID