Netstat to check on DOS attack

I use the following command to check on the number of connections from IP’s at port :80

netstat -ant | awk ‘$4 ~ /:80$/’ | awk ‘{print $5}’ | awk -F: ‘{print $1}’ | sort | uniq -c

Also, the following code is used to check the various state of tcp connections and the number of connections associated with each state:

netstat -ant | awk ‘{print $6}’| sort | uniq -c | sort -n

The following iptables rule prevents the DOS attack on your webserver by limiting maximum 30 connection per minute. This limit/minute will be enforced only after the total number of connection have reached the limit-burst level

iptables -A INPUT -p tcp –dport 80 -m limit –limit 30/minute –limit-burst 100 -j ACCEPT

Some examples on egrep and awk

In case you want to know the service listening to any port#, say port 139

egrep ‘\<139/tcp\>’ /etc/services

You get the same output as above using awk as follows:

awk ‘$2 ~ /^139\/tcp/ {print $1,$2}’ /etc/services

Though egrep is easier one, I somehow love using awk for text manupulations..


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s