How to check Denial of Service Attacks

 

Attackers use DDoS attacks for killing server performance.

 

Your website and server performance get slow and you may get "Service Unavailable or Timeout error" if there is any attack on your server.

 

If you are using Windows services, ensure that Windows Firewall is enabled on your server.

 

Run the below commands in Windows server >> command prompt (CMD) to check a number of connections to your server.

 

To display all the connections:

netstat -an

netstat -ano | find ":"

 

To check total connections:

Netstat -ano | find ":" /c

 

To check total connections on port 80 and 443.

netstat -ano | find ":80" /c

netstat -ano | find ":443" /c

 

To display all the connections to port 80 and 443 with IP address:

netstat -ano | find ":80"  

netstat -ano | find ":443"

 

Change the port number to a different port in above command, to check a number of connections to other ports.

 

You can also check the server connections logs in: C:\inetpub\logs\LogFiles\ path.

 

If you find more connections from particular IP address or Port number you can block the same using Windows Firewall.

 

Run the below command to block any IP in windows firewall.

 

netsh advfirewall firewall add rule name="IP Block" dir=in interface=any action=block remoteip=<IP_Address>/32

 

To block other IP address, in RDP go to Windows Firewall with Advanced Security >> Click on Inbound Rules >> Double Click on "IP Block" rule

 

Click on Scope >> Under "Remote IP Address" add the IP from which you are getting more connections and click on "OK"

 

If you find more connections on a specific port, you can restrict the connection by creating a new rule in  "Windows Firewall with Advanced Security" for a specific port.

 

Please refer the URL: https://technet.microsoft.com/en-us/library/hh831755.aspx?f=255&MSPPError=-2147217396 for more details about Windows Firewall with Advanced Security.

 

In Linux Server:

 

Run the below command to list of open connections to the server and sorts them by amount.

 

netstat -na |awk '{print $5}' |cut -d "." -f1,2,3,4 |sort |uniq -c |sort -n

 

You can also check a number of connections by running the following commands:

 

netstat -plan | grep :80 | awk '{print $4 }' | sort -n | uniq -c | sort

 

or

 

netstat -n | grep ':80' | awk -F' ' '{print $5}' | awk -F':' '{print $1}' | sort | uniq -c | sort -n

 

These are few step to be taken when you feel the server is under attack:

 

Step 1: Check the load using the command "w".

Step 2: Check which service is utilizing maximum CPU by "nice top".

Step 3: Check which IP is taking maximum connection by

netstat -anpl|grep :80|awk {'print $5'}|cut -d":" -f1|sort|uniq -c|sort -n

Step 4: Then block the IP using firewall (csf or iptables "csf -d < IP>" )

 

You can also implement security features in your server like:

 

1) Install apache modules like mod_dosevasive and mod_security in your server.

2) Configure  CSF and IPTABLES to reduce the DDOS

3) Configure sysctl parameters in your server to drop attacks.