Skip to main content


Showing posts from February, 2012

How to Detect and Stop DDos/syn Attack in Linux

The below command will show the number of active connections open in your server. Many of the attacks typically work by starting a connection to the server and then not sending any reply making the server wait for it to time out. The number of active connections from the first command is going to vary widely but if you are much above 500 you are probably having problems. If the second command is over 100 you are having trouble with a syn attack.

# netstat -n | grep :80 |wc -l

# netstat -n | grep :80 | grep SYN |wc -l

Then  check your log for the ip address with maximum connections. The below command will show the list of hits in your access log…

# cd /var/log/httpd

# tail -n 10000 access_log|cut -f 1 -d ' '|sort|uniq -c|sort -nr|more

This will look at the currently active connections to see if there are any IPs connecting to port 80. You might need to alter the cut -c 45- as the IP address may not start at column 45. If someone was doing a UDP flood to your webserver, this would …