How to check if my system is under DDoS attack? Print

  • 0

What Is the DDoS attack?

DDoS stands for the distributed denial-of-service attack. You may have heard this term, but many don't know what happens in the DDoS attack. In the DDoS attack, the attacker sends a large amount of traffic to the targeted host/system and prevents it from running smoothly. They use many compromised hosts/machines from the internet to send the traffic to the targeted system.

What happens if there is a DDoS attack on your system.

a) Website keeps loading.

b) Website timeout error.

c) Database connection timeout.

d) Email sending/receiving fail.

e) RAM/CPU overloaded.

How to detect DDoS attacks?

It is better to detect the attack as sooner as possible before it damages more to your system. You can use the netstat command to display all the current TCP/IP network connections to your system.

Detect DDoS attack on Windows System

  1. At first, login to your server via RDP. Please refer to how to login to your server via RDP.

  2. Go to start and open run and type cmd and hit enter. It will open the command prompt.

  3. Type netstat-noa to view all the network connections to your system. You can also use the below commands as per your requirement. 

netstat -n: This command displays all active TCP connections to your system. It includes IP addresses and port number details. 

netstat -o: This command displays all active TCP connections, including the process ID of all the connections to your system. Once you get the PID, you can find the application running the same process ID in the windows task manager.

netstat -a: This command displays all active TCP connections. It also displays all the TCP/UPD ports on which the system is listening.

When the statistics are displayed, find the IP Address with lots of TCP connections. It could be a DDoS attack from the same IP Address. You can block the same IP Address on Windows Firewall. Please refer to how to block IP Addresses on the windows firewall.

Detect DDoS attack on Linux System 

  1. Log in to the Linux server using SSH.

  2. Run the below command to find the IP Addresses connected to your Linux system.

    # netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c
    
  3. Run the below command to find the source IP address and the number of connections of the same IP Addresses to your Linux system.

    # netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
  4. Run the below command to check the active TCP connection number on port 80.

    # netstat -n | grep :80 |wc -l
    
  5. If there is an IP Address with too many connections, it could be an attacker's IP address. You can block it using the below command.

    # route add ipaddress reject
    
  6. You can also block it using the iptables on Linux machine.


Was this answer helpful?

« Back
Sign up for a newsletter

chat