1. Home > Web_defense >

How to check CC attacks under Linux

What is a CC attack? A CC attack is to use a large number of proxy servers to initiate a large number of connections to the target computer, resulting in a denial of service due to exhaustion of the target server resources. So how to judge the query CC attack? This article mainly introduces some commands to judge the CC attack under Linux.

View all port 80 Number of connections

netstat -nat |grep -i "80"|wc -l

Sort the connected IPs by the number of connections

netstat -anp | grep'tcp\|udp' | awk'{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

netstat -ntu | awk'{print $5 }'| cut -d: -f1 | sort | uniq -c | sort -n

netsta t -ntu | awk'{print $5}' | egrep -o "[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3} \.[0-9]{1,3}" | sort | uniq -c | sort -nr

View TCP connection status

netstat -nat |awk'{print $6}'|sort|uniq -c|sort -rn

netstat -n | awk'/^tcp/ {print $NF}'| sort|uniq -c|sort -rn

netstat -n | awk'/^tcp/ {++S[$NF]};END {for(a in S) print a, S[a]}'

netstat -n | awk'/^tcp/ {++state [$NF]}; END {for(key in state) print key,"\t",state[key]}'

netstat -n | awk'/^tcp/ {++arr[$NF]};END {for(k in arr) print k,"\t",arr[ k]}'

netstat -ant | awk'{print $NF}' | grep -v'[az]' | sort | uniq -c

View the 20 IPs with the most connections on port 80

cat /www/web_logs/waitalone.cn_access.log|awk'{print $1}'|sort|uniq- c|sort -nr|head -100

tail -n 10000 /www/web_logs/waitalone.cn_access.log|awk'{print $1 }'|sort|uniq -c|sort -nr|head -100

cat /www/web_logs/waitalone.cn_access.log|awk'{print $1}'|sort|uniq -c|sort -nr|head -100

netstat -anlp|grep 80|grep tcp|awk '{print $5}'|awk -F:'{print $1}'|sort|uniq -c|sort -nr|head -n20

netstat -ant |awk'/:80/{split($5,ip,":");++ A[ip]}END{for(i in A) print A,i}' |sort -rn|head -n20

Use tcpdump to sniff port 80 access to see who is the highest

tcpdump -ie th0 -tnn dst port 80 -c 1000 | awk -F"."'{print $1"."$2"."$3"."$4}' | sort | uniq -c | sort -nr |head -20

Find more time_wait connections

netstat -n|grep TIME_WAIT|awk'{print $5}'|sort|uniq -c|sort -rn|head -n20

Find more SYN connections

netstat -an | grep SYN | awk'{print $5 }'| awk -F:'{print $1}' | sort | uniq -c | sort -nr | more

Some common commands for iptables to seal ip segment under linux:

The command to block a single IP is:

iptables -I INPUT -s 211.1.0.0 -j DROP

The command to block the IP segment is:

iptables -I INPUT -s 211.1.0.0/16 -j DROP

iptables -I INPUT -s 211.2.0.0/16 -j DROP

< p style="word-wrap: break-word; margin: 5px 0px; font-family:'sans serif', tahoma, verdana, helvetica; line-height: 18px;">iptables -I INPUT -s 211.3.0.0/ 16 -j DROP

The command to seal the entire paragraph is:

< p style="word-wrap: break-word; margin: 5px 0px; font-family:'sans serif', tahoma, verdana, helvetica; line-height: 18px;">iptables -I INPUT -s 211.0.0.0/ 8 -j DROP

close The commands for several paragraphs are:

iptables -I INPUT -s 61.37.80.0/24 -j DROP

iptables -I INPUT -s 61.37.81.0/24 -j DROP

There are three ways to start self-running on the server:

1, add it to /etc/rc.local

2, iptables-save >/etc/sysconfig/iptables can put your current iptables rules in /etc/sysconfig/ In iptables, it is automatically executed when the system starts iptables.

3, service iptables save You can also put your current iptables rules in /etc/sysconfig/iptables, and they will be executed automatically when the system starts iptables.

the latter two are better Therefore, the general iptables service will start before the network service, which is more secure.

Unblocking words:< /p>

iptables -D INPUT -s IP address-j REJECT

iptables -F is all cleared out

This article is published by www.internetweblist.com and does not represent the position of www.internetweblist.com/:http://www.internetweblist.com/Web_defense/28673.html

Contact Us

Online consultation:click here to give a message