Now a days we are getting more DDOS issues. In order to track down the actual site undergoing the attack, following commands will help you.


Find the IP to which connections are established:


# netstat -plan|grep :80|awk {‘print $4’}|cut -d: -f 1|sort|uniq -c|sort -nk 1

This will give you IP addresses with total number of connections in the left. Take, the ip address that is at the bottom. Here, I am assuming the attacked IP as “127.0.01”

Now, you need to find out which site is undergoing attack.


tcpdump -A dst 127.0.0.1 -s 500 (use ‘src’ instead of ‘dst’, if you are checking connections from an IP)

This will give you some output and you need to closely monitor it and check for a “Host:” entry there and that site will be the culprit.

EX:
==========================
189 HTTP/1.1
Host: www.XXXXXX.com
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:7.0.1) Gecko/20100101 Firefox/7.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection: keep-alive
Referer: http://apps.fac
==========================

Post Views: 30

Leave a Reply

This website stores cookies on your computer. These cookies are used to provide a more personalized experience and to track your whereabouts around our website in compliance with the European General Data Protection Regulation. If you decide to to opt-out of any future tracking, a cookie will be setup in your browser to remember this choice for one year.

Accept or Deny