Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revision Both sides next revision
litespeed_wiki:config:mitigating-ddos-attacks [2019/02/27 17:12]
Jackson Zhang [Troubleshooting]
litespeed_wiki:config:mitigating-ddos-attacks [2019/05/14 20:32]
Jackson Zhang [Analysis of IPs from attacked]
Line 122: Line 122:
  
 ==== Check concurrent connections ==== ==== Check concurrent connections ====
-To check how many concurrent TCP connections, ​you can run:+To check the number of concurrent TCP connections,​ run the following command:
   netstat -an | grep 80 | grep ESTA | wc    netstat -an | grep 80 | grep ESTA | wc 
  
-If you want to check concurrent connections sorted by IP, you can run the following:+To check concurrent connections sorted by IP, run the following:
   netstat -ntu | grep ESTABLISHED | awk '​{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr   netstat -ntu | grep ESTABLISHED | awk '​{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr
   ​   ​
-Please keep in mind that ''​netstat -ntu''​ will list TCP in TIME_WAIT state, which will inflate the number. For correct concurrent TCP connections counting method, you should only count TCPs in ''​ESTABLISHED''​ state. Hence ''​grep ESTA''​ or ''​grep ESTABLISHED''​ will be required. ​+Please keep in mind that ''​netstat -ntu''​ will list TCP in TIME_WAIT state, which will inflate the number. For the correct concurrent TCP connections counting method, you should only count TCPs in ''​ESTABLISHED''​ state. Hence ''​grep ESTA''​ or ''​grep ESTABLISHED''​ will be required
 + 
 +==== Analysis of IPs from attacked ====  
 + 
 +Bad IP's can make quick connections and you end up with many time_waits and won't see it when just looking at established. 
 + 
 +If you don't necessarily count concurrent connections,​ just want to analyze which IPs might be attacker, you can include time_waits connection as well by running the command without ''​grep ESTABLISHED'',​ which gives you the ability to see what IP's just connected and dropped and may need to be blocked: 
 + 
 +   ​netstat -ntu | awk '​{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n | awk '$1 >= 5 {print $0}' 
 + 
 +An attacker could make a connection, send requests to expensive URL, wait a little while, then close connection, if server does not abort the process, the backend will be used up soon and keep serving request that has been abandoned. The above command will be useful during the situation
 ==== Check the Banned IP and Reason ==== ==== Check the Banned IP and Reason ====
 If an IP has been banned, but you don't know why, you can check it with SSH. Here is an example of a connection that was banned because it reached the hard limit. If an IP has been banned, but you don't know why, you can check it with SSH. Here is an example of a connection that was banned because it reached the hard limit.
  • Admin
  • Last modified: 2019/06/13 16:21
  • by Lisa Clarke