Now a days we are getting more DDOS issues. In order to track down the actual site undergoing the attack, following commands will help you.


Find the IP to which connections are established:


# netstat -plan|grep :80|awk {‘print $4’}|cut -d: -f 1|sort|uniq -c|sort -nk 1

This will give you IP addresses with total number of connections in the left. Take, the ip address that is at the bottom. Here, I am assuming the attacked IP as “127.0.01”

Now, you need to find out which site is undergoing attack.


tcpdump -A dst 127.0.0.1 -s 500 (use ‘src’ instead of ‘dst’, if you are checking connections from an IP)

This will give you some output and you need to closely monitor it and check for a “Host:” entry there and that site will be the culprit.

EX:
==========================
189 HTTP/1.1
Host: www.XXXXXX.com
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:7.0.1) Gecko/20100101 Firefox/7.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection: keep-alive
Referer: http://apps.fac
==========================

Leave a Reply