Hunting for DDoS activity

Wht is a DDOS?

A Distributed Denial-of-Service (DDoS) attack is when multiple attacking machines attempt to overwhelm the victim machine(s)

Often DDoS attacks are used as smokescreen

Other attacks take advantage of the confusion to sneak through under the radar

Indicators of a DDoS attack

Multiple different factors can point to a DDoS attack:

Unavailability of websites
Slow network performance
Failover
Back-end systems operating at maximum capacity
Overload of network security systems (SIEM, IPS/IDS)
Unanticipated server availability
- No pending updates or scheduled reboots

Hunting for DDoS activity

If you suspect that a DDoS attack is occurring, netstat is a useful tool

Typing netstat -an on the webserver will show the current connections to the server

IP addresses connected to many different ports may be an indication of a DoS attack

If you don't want to comb through the netstat result, you can use the following to see what IPs are connecting to your server and how connections each has:

netstat -anp | grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

Multiple IP addresses connected to multiple ports is a likely sign of a DDoS attack

PreviousDNS abnormalities NextHunting for suspicious domains

Last updated 4 months ago