To find out if your server is under attack or not. You can also list abusive IP address using this method.
# netstat -nat | awk '{print $6}' | sort | uniq -c | sort -n
Output:
1 CLOSE_WAIT
1 established)
1 Foreign
3 FIN_WAIT1
3 LAST_ACK
13 ESTABLISHED
17 LISTEN
154 FIN_WAIT2
327 TIME_WAIT
Dig out more information about a specific ip address:
# netstat -nat |grep {IP-address} | awk '{print $6}' | sort | uniq -c | sort -n
2 LAST_ACK
2 LISTEN
4 FIN_WAIT1
14 ESTABLISHED
91 TIME_WAIT
130 FIN_WAIT2
Busy server can give out more information:
# netstat -nat |grep 202.54.1.10 | awk '{print $6}' | sort | uniq -c | sort -n
Output:
15 CLOSE_WAIT 37 LAST_ACK 64 FIN_WAIT_1 65 FIN_WAIT_2 1251 TIME_WAIT 3597 SYN_SENT 5124 ESTABLISHED
Get List Of All Unique IP Address
To print list of all unique IP address connected to server, enter:
# netstat -nat | awk '{ print $5}' | cut -d: -f1 | sed -e '/^$/d' | uniq
To print total of all unique IP address, enter:
# netstat -nat | awk '{ print $5}' | cut -d: -f1 | sed -e '/^$/d' | uniq | wc -l
Output:
449
Find Out If Box is Under DoS Attack or Not
If you think your Linux box is under attack, print out a list of open connections on your box and sorts them by according to IP address, enter:
# netstat -atun | awk '{print $5}' | cut -d: -f1 | sed -e '/^$/d' |sort | uniq -c | sort -n
Output:
1 10.0.77.52
2 10.1.11.3
4 12.109.42.21
6 12.191.136.3
.....
...
....
13 202.155.209.202
18 208.67.222.222
28 0.0.0.0
233 127.0.0.1
Display Summary Statistics for Each Protocol
Simply use netstat -s:
# netstat -s | less
# netstat -t -s | less
# netstat -u -s | less
# netstat -w -s | less
# netstat -s
Display Interface Table
You can easily display dropped and total transmitted packets with netstat for all interfaces:
# netstat --interfaces
Stop the Attack With Null Route IP using route command
Suppose that bad IP is 65.21.34.4, type the following command at shell:
# route add 65.21.34.4 gw 127.0.0.1 lo
You can verify it with the following command:
# netstat -nr
OR
# route -n
You can also use reject target (a hat tip to Gabriele):
# route add -host IP-ADDRESS reject
# route add -host 64.1.2.3 reject
To confirm the null routing status, use the ip command as follows:
# ip route get 64.1.2.3
Output:
RTNETLINK answers: Network is unreachable
To drop entire subnet 192.67.16.0/24, type:
# route add -net 192.67.16.0/24 gw 127.0.0.1 lo
Null routing using ip command
While traversing the RPDB, any route lookup which matches a rule with the blackhole rule type will cause the packet to be dropped. No ICMP will be sent and no packet will be forwarded. The syntax is follows for the ip command:
# ip route add blackhole 202.54.5.2/29
# ip route add blackhole from 202.54.1.2
# ip rule add blackhole to 10.18.16.1/29
# ip route
How do I remove null routing? How do I remove blocked IP address?
Simple use the route delete command as follows:
# route delete 65.21.34.4
OR
# route del -host 65.21.34.4 reject
Or use NA command to delete route:
# ip route delete 1.2.3.4/26 dev eth0