Psychz - Sharad
Votes: 0Posted On: Apr 07, 2017 09:48:58
How to detect the DDoS attack?
With time, hackers have evolved with techniques to bring down your server by flooding it with traffic that is not real. Regardless of what hardware upgrades you have done to increase the performance of your server, the hacker can still simulate more users than your server can handle.
How Is a DDoS Organized?
To execute an attack, hackers use botnets which are zombie machines(hacked PCs or servers). Hackers use phishing emails and other methods to install malware(rootkits and trojans) on remote machines. After installing malware on these machines, the attacker gets to control them from any remote location. When ready to attack, the attacker remotely triggers these zombie machines to flood the target IP address.
Detecting an active attack on your server
In most of the attacks, the server crashes. That should be your first clue. However, in some of the cases the server returns "service unavailable" error.
Another hint is that the server might not completely crash, but services become too slow. Genuine users can feel the lag while trying to access the website or service.
In the following article we will see how to check if there is an attack on your server using "netstat" command
Netstat is a utility included in any Windows operating or Linux system.
Netstat command displays active TCP connections, ports on which the computer is listening, Ethernet statistics, the IP routing table, IPv4 statistics (for the IP, ICMP, TCP, and UDP protocols), and IPv6 statistics (for the IPv6, ICMPv6, TCP over IPv6, and UDP over IPv6 protocols). Used without parameters, netstat displays active TCP connections.
For Linux environment, you can find more information about the command, parameters and it's usage using "man netstat" command.
netstat –an
Sample output
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:6767 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 216 45.34.41.202:22 49.248.152.106:41286 ESTABLISHED
tcp 0 0 45.34.41.202:22 49.248.152.106:41284 ESTABLISHED
tcp 0 0 45.34.41.202:22 45.34.97.74:54842 ESTABLISHED
tcp 0 0 45.34.41.202:22 45.34.97.74:55328 ESTABLISHED
tcp6 0 0 ::1:25 :::* LISTEN
tcp6 0 0 :::111 :::* LISTEN
tcp6 0 0 :::22 :::* LISTEN
udp 0 0 0.0.0.0:67 0.0.0.0:*
udp 0 0 0.0.0.0:111 0.0.0.0:*
udp 0 0 0.0.0.0:679 0.0.0.0:*
udp 0 0 0.0.0.0:28569 0.0.0.0:*
udp 0 0 0.0.0.0:46055 0.0.0.0:*
udp 0 0 0.0.0.0:5353 0.0.0.0:*
Above output will show you the way your server would look in a normal scenario. You can see different IP addresses connected to specific ports.
When under attack
tcp 0 216 45.34.41.202:22 49.248.152.106:41286 TIME_WAIT
tcp 0 216 45.34.41.202:22 49.248.152.106:41287 TIME_WAIT
tcp 0 216 45.34.41.202:22 49.248.152.106:41288 TIME_WAIT
tcp 0 216 45.34.41.202:22 49.248.152.106:41289 TIME_WAIT
tcp 0 216 45.34.41.202:22 49.248.152.106:41290 TIME_WAIT
tcp 0 216 45.34.41.202:22 49.248.152.106:41291 TIME_WAIT
tcp 0 216 45.34.41.202:22 49.248.152.106:41292 TIME_WAIT
tcp 0 216 45.34.41.202:22 49.248.152.106:41293 TIME_WAIT
tcp 0 216 45.34.41.202:22 49.248.152.106:41294 TIME_WAIT
tcp 0 216 45.34.41.202:22 49.248.152.106:41295 TIME_WAIT
tcp 0 216 45.34.41.202:22 49.248.152.106:41296 TIME_WAIT
tcp 0 216 45.34.41.202:22 49.248.152.106:41297 TIME_WAIT
The above output is simulated, however, you can notice that the same IP is connecting to immediate ports and the connection is timing out. It clearly indicates that the attack was initiated from that one IP and is trying to flood the server by generating meaningless requests.
Here we have shown only a few connections for your understanding but in real DDoS attack the connections can be thousands.
