Nowadays, most of the web applications are vulnerable and exposed on many kinds of attacks. One of them is a DDoS attack. There are a lot of services on the internet that are offering some kind of protection, but not all of them are free. In this tutorial, I’m going to explain how you can detect DDoS attack from your Linux server CLI and take prevention from it.
Prerequisites
- Linux bash environment
- sudo privileges
netstat
Check if your web application is under DDoS attack
If you have noticed that your web application is running slowly, and sometimes it throws timeouts then, maybe it’s under DDoS.
Step 1. To check the DDoS attack on port 80 (HTTP) run the following command:
sudo netstat -plane | grep :80 | awk '{print $5}' | grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}'| sort | uniq -c | sort -n
Step 2. For port 443 (HTTPS), execute:
sudo netstat -plane | grep :443 | awk '{print $5}' | grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}'| sort | uniq -c | sort -n
Output:
1 108.177.15.189
5 140.82.112.25
2 142.250.180.195
10 162.125.19.131
350 184.51.8.249
11 23.47.209.26
The first column shows you how many connections are established and the second column from which IP address. So, from the example above, there are 350 connections from 184.51.8.249 IP address, which seems very suspicious.
Prevent your web application from DDoS attack
To prevent your application from DDoS the first thing is to spot an IP address with many active connections as the example above, and then you should immediately set a firewall rule to block that IP address, depending on your Linux distro.
Conclusion
From this tutorial, you can learn some basic steps on how to spot and prevent DDoS attacks. Feel free to leave a comment below and if you find this tutorial useful, follow our official channel on Telegram.