How to find your server is under DDOS Attack


How to find your server is under DDOS Attack

Here is a command line to run on your server if you think your server is under DDOS attack.  The commands given below prints out list of open connections on your server and sorts them by connection amount.


netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n


netstat -na |awk ‘{print $5}’ |cut -d “.” -f1,2,3,4 |sort |uniq -c |sort -n

You can also check for connections by running the following command.

netstat -plan | grep :80 | awk ‘{print $4 }’ | sort -n | uniq -c | sort


These are few step to be taken when you feel the server is under attack:

  •  Check the load using the command “w“.
  •  Check which service is utilizing maximum CPU by “nice top“.
  •  Check which IP is taking maximum connection by
  • netstat -anpl|grep :80|awk {‘print $5’}|cut -d”:” -f1|sort|uniq -c|sort -n
  • Then block the IP using firewall (APF or iptables “apf -d < IP>” )

You can consider using the following methods to secure your server.

1) Use third party DDOS protection service like

2) Configure CSF firewall and enable SYN Flood protection

3) Configure sysctl parameters in your server to drop attacks.



Share this post