If you are a hosting provider, chances are that you’ve experienced a DoS/DDoS attack against a domain or a server. If so, you already know how frustrating it can be to tackle such an attack.

For those who are yet to feel the heat of it, its better to be prepared to identify an attack in real time. Many believe that the outcome of DoS/DDoS is disruption in service. Many a times, it does not fully disrupt the service, but the drop in quality of service leaves it in a state where it would be better if the the service isn’t rendered at all. After all, waiting 5 minutes for a web-page to load, isn’t worth it!

If you notice slow networks or a crashing server/service, chances are that you are the victim of one such attack. Access to a bandwidth graph comes in handy here. One could analyze the changes in the rate of traffic, and confirm if there is a spike in traffic. An abnormal spike in the traffic confirms a DoS/DDoS attack

Even if you correctly identify a DoS or DDoS attack, it is unlikely that you will be able to determine the actual source of the attack. What is even more important, is to identify the target of the attack. It could be that the attack is to a particular service like say webserver, or DNS server.

Much in this stage can be determined by merely looking at the status of connections to the server. A command like netstat could shed light into this aspect. The following command would give a lot of details about the state of various connections to/from the server.

netstat -plan

If you identify that the attack is to say port 80(the web-server), then you could use the following command to locate the target IP to which the attack is prevalent.

netstat -plan |grep :80 | awk '{print $4}' |cut -d: -f1 |sort |uniq -c |sort -n

The output would be the count followed by the IP address to which the attack is targeted.

The following command would give you the source of the attack, and also the count of connections from each of those IP’s.(count first, followed by the respective IP’s).

netstat -plan |grep :80 | awk '{print $5}' |cut -d: -f1 |sort |uniq -c |sort -n

If you see numerous connections to the server from a single IP or network, you may infer that as a case of DoS. If you however see numerous IP’s from which there are say one or two connections, and the total list of IP’s is large, then you could be facing a DDoS attack.

There would be cases where you wouldn’t be able to pinpoint a single service, or identify the actual nature of the attack. In such cases, where it is not evident from the connection states, we might have to analyze the packets. More on it, in the coming week.

About the Author :

Sankar works as a Senior Software Engineer in Bobcares. He joined Bobcares back in April 2006. He loves grooming/mentoring people. During his free time, he listens to music, and enjoys singing..