Whenever a client connects to a server via network, a connection is established and opened on the system. On a busy high load server, the number of connections connected to the server can be run into large amount till hundreds if not thousands. Find out and get a list of connections on the server by each node, client or IP address is useful for system scaling planning, and in most cases, detect and determine whether a web server is under DoS or DDoS attack (Distributed Denial of Service), where an IP sends large amount of connections to the server. To check connection numbers on the server, administrators and webmasters can make use of netstat command.
Below is some of the example a typically use command syntax for ‘netstat’ to check and show the number of connections a server has. Users can also use ‘man netstat’ command to get detailed netstat help and manual where there are lots of configurable options and flags to get meaningful lists and .
1] Display all active Internet connections to the servers and only established connections are included.
[root@server ~]# netstat -na
2] Show only active Internet connections to the server at port 80 and sort the results. Useful in detecting single flood by allowing users to recognize many connections coming from one IP.
[root@server
~]# netstat -an | grep :80 | sort
3] Let users know how many active SYNC_REC are occurring and happening on the server. The number should be pretty low, preferably less than 5. On DoS attack incident or mail bombed, the number can jump to twins. However, the value always depends on system, so a high value may be average in another server.
3] Let users know how many active SYNC_REC are occurring and happening on the server. The number should be pretty low, preferably less than 5. On DoS attack incident or mail bombed, the number can jump to twins. However, the value always depends on system, so a high value may be average in another server.
[root@server ~]# netstat -n -p|grep SYN_REC | wc -l
4] List out the all IP addresses involved instead of just count.
[root@server
~]# netstat -n -p | grep SYN_REC | sort -u
5] List all the unique IP addresses of the node that are sending SYN_REC connection status.
5] List all the unique IP addresses of the node that are sending SYN_REC connection status.
[root@server
~]# netstat -n -p | grep SYN_REC | awk '{print $5}' | awk -F: '{print
$1}'
6] Use netstat command to calculate and count the number of connections each IP address makes to the server.
6] Use netstat command to calculate and count the number of connections each IP address makes to the server.
[root@server
~]# netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c |
sort -n
7] List count of number of connections the IPs are connected to the server using TCP or UDP protocol.
[root@server
~]# netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 |
sort | uniq -c | sort -n
8] Check on ESTABLISHED connections instead of all connections, and displays the connections count for each IP.
[root@server
~]# netstat -ntu | grep ESTAB | awk '{print $5}' | cut -d: -f1 | sort
| uniq -c | sort -nr
9] Show and list IP address and its connection count that connect to port 80 on the server. Port 80 is used mainly by HTTP web page request.
[root@server
~]# netstat -plan|grep :80|awk {'print $5'}|cut -d: -f 1|sort|uniq
-c|sort -nk 1
No comments:
Post a Comment