What is DDOS attacks, how to identify them, and how to protect your website from their infringement, we will understand the common signs of DDOS attacks and what steps you can take to reduce their damage.
What is DDOS?
DDOS or distributed rejection service is a collaborative attack using one or more IP addresses to paralyze the website by making the server of the website unable to access. This is completed by loading the server resources and using all available connections, bandwidth and throughput. Just like driving, if the traffic is too large, your travel time from point A to point B will slow down. The server will be in trouble by using more connections beyond its processing capacity, making it unable to handle legal requests. Even a powerful server cannot handle the number of connections that DDOS can bring.
Although there are many ways to perform DDOS attacks, from HTTP floods to Slowloris delayed connections, most of them need to be connected with your server in real time. Many of them.
The good news is that because these connections are real -time, you can see their establishment process. Using some simple commands, you can not only determine whether the DDOS is happening, but also to help relieve the information required for these attacks.
How to check DDOS
If you are worried that your server may be attacked by DDOS, the first thing you need to do is to view the load on the server. Simple things like Uptime or Top commands make you know the current load of the server well.
But what is acceptable load?
This depends on your CPU resources or available threads. Generally, the rules are one point for each thread.
To determine the current load of the server, you can use theRP processor/ProC/CPUINFO | WC-L command, which will return the number of logical processor (thread). During the DDOS attack, you may see that the load is twice, three times or even higher of the biggest load you should have. The average load is displayed in the following time to display the load: an average of 1 minute, average 5 minutes and average 15 minutes. In this case, the average load greater than 7 may be a problem.
How to check which IPs are connected to your server
Since most DDOS attacks need to be connected to your server, you can check and check how many IP addresses and which IP addresses are connected to your server. This can be used to determine NetStat, which is used to provide a variety of details. But in this case, we are only interested in establishing a specific IP, IP quantity and their sub -nets they belong to. First, enter the following command in the terminal:
NetStat-NTU | AWK ‘{Print $ 5}’ | Cut-D: -f1-S | Sort | Uniq-C | Sort-NK1-R
If the input is correct, this command will return a series of lowering sequences to list which IP connections to your server and how much each IP is connected. The results may also include workpiece data, which will be displayed as non -IP information and can be ignored.
View results, you will see the listed connection range from each IP1 to about 50 connections. This is very common for normal traffic. However, if you see some IPs with more than 100 connections, you need to check carefully.
In the list, you may see the IP of known IP, one or more servers, and even your own personal IP with multiple connections. In most cases, these can be ignored because they are usually there. When you see a single unknown IP with hundreds or thousands of connections, you should worry because this may be signs of attack.