Hosting servers at some point of time should have faced a ddos attack. You will have lot of trouble in identifying the right command to use and check the connections to your server.Here is a small tip with tcpdump

tcpdump -v nn -w attack dst port 80

Catch upto 200 packets you can change the port number as well as the filename “attack” as per your need. Having done that you can now figure out the number of connections from the ips by following command

tcpdump -nr attack |awk ‘{print $3}’ |grep -oE ‘[0-9]{1,}.[0-9]{1,}.[0-9]{1,}.[0-9]{1,}’ |sort |uniq -c |sort -rn

Block the ips with maximum count using iptables.

iptables -I INPUT -s ipaddress -j DROP

VN:F [1.9.6_1107]
Rating: 10.0/10 (1 vote cast)
VN:F [1.9.6_1107]
Rating: 0 (from 0 votes)
Tcpdump checking connections, 10.0 out of 10 based on 1 rating
Share and Enjoy:
  • Digg
  • Sphinn
  • del.icio.us
  • Facebook
  • Mixx
  • Google Bookmarks
  • Live
  • StumbleUpon
  • Twitter
  • Yahoo! Buzz
  • Reddit
  • Technorati