Netstat Commands for DDoS Checking

Useful commands to check if a server is getting ddos’d

Show IPs with more than 10 connections open:


# netstat -nat | grep ":80" | awk -F: '{print $8}' | sort | uniq -c | sort -n | awk '{ if ( $1 > 10) print $2 ; }'

Show # of connections open per IP


# netstat -nat | egrep ":80|:443" | awk -F: '{print $8}' | sort | uniq -c | sort -n 

Number of connections per IP


# netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

Haynie’s version(better sorting):


# netstat -anp|awk '{print $5}'|awk -F: '{print $4}'|sort -n -t. -k1,1 -k2,2 -k3,3 -k4,4|uniq -c|sort -n

Drop ips with 100 or more connections:


# netstat -nat | egrep ":80|:443" | awk -F: '{print $8}' | sort | uniq -c | sort -n | awk '{ if ( $1 > 100) print $2 ; }' | xargs -n1 echo iptables -I INPUT -j DROP -s

Graphic netstat connections(# of connections open per host)

# netstat -an | grep ESTABLISHED | awk ‘{print $5}’ | awk -F: ‘{print $1}’ | sort | uniq -c | awk ‘{ printf(“%s\t%s\t”,$2,$1) ; for (i = 0; i < $1; i++) {printf("*")}; print "" }' [/bash]

Leave a Comment