Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision | Next revision Both sides next revision | ||
|
litespeed_wiki:config:mitigating-ddos-attacks [2019/05/14 20:26] Jackson Zhang [Check concurrent connections] |
litespeed_wiki:config:mitigating-ddos-attacks [2019/05/14 20:32] Jackson Zhang [Analysis of IPs from attacked] |
||
|---|---|---|---|
| Line 131: | Line 131: | ||
| ==== Analysis of IPs from attacked ==== | ==== Analysis of IPs from attacked ==== | ||
| - | If you don't necessarily count concurrent connections, just want to analyze which IPs might be attacker, you can check time_waits connection as well. You can run the command without ''grep ESTABLISHED'': | + | |
| - | netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr | + | Bad IP's can make quick connections and you end up with many time_waits and won't see it when just looking at established. |
| + | |||
| + | If you don't necessarily count concurrent connections, just want to analyze which IPs might be attacker, you can include time_waits connection as well by running the command without ''grep ESTABLISHED'', which gives you the ability to see what IP's just connected and dropped and may need to be blocked: | ||
| + | |||
| + | netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n | awk '$1 >= 5 {print $0}' | ||
| An attacker could make a connection, send requests to expensive URL, wait a little while, then close connection, if server does not abort the process, the backend will be used up soon and keep serving request that has been abandoned. The above command will be useful during the situation. | An attacker could make a connection, send requests to expensive URL, wait a little while, then close connection, if server does not abort the process, the backend will be used up soon and keep serving request that has been abandoned. The above command will be useful during the situation. | ||