1

At the moment my server is lagging pretty bad, and it crashes. It's a dedicated server which has run completely fine last two days.

What does this command do?

netstat -n|grep :80|cut -c 45-|cut -f 1 -d ':'|sort|uniq -c|sort -nr|more

This I what I get:

    154 76.217.x.xx
     11 79.51.xx.xxx
     10 174.119.xx.xx
      9 201.230.xxx.xxx
      8 24.184.xx.xxx
      8 127.0.0.1
      6 50.51.xxx.xxx
      6 216.121.xxx.xxx
      4 80.203.xx.xxx
      4 24.186.xxx.xxx
      4 223.25.xx.xxx
      4 119.93.xx.xx

What does the number beside the IP mean? Does it mean connections? If so... the top IP is ddosing me?

mattdm
  • 6,600
  • 1
  • 26
  • 48
Muazam
  • 197
  • 2
  • 10
  • 3
    There are 228 connections this doesn't look like a [DoS](http://en.wikipedia.org/wiki/Denial-of-service_attack) attack let alone a DDoS attack. What is your I/O, CPU, memory, webserver, applictaion doing ? – user9517 Aug 05 '11 at 15:23
  • 2
    Yeah, that was me. Sorry. But seriously 228 connections is nothing. You have an issue on your web server. – Jacob Aug 05 '11 at 15:38
  • @Jacob - you're a bad, bad man. Haven't you learned your lesson from that 500 connection DoS against Google? – voretaq7 Aug 05 '11 at 15:48
  • 1
    may want to also check 443(?) connections for https as well, as its also a web port. – Jimsmithkka Aug 05 '11 at 16:43
  • Are you sure your site didn't get listed on digg/slashdot/reddit/.... – Zoredache Aug 05 '11 at 16:45
  • @Zoredache that'd be a pretty pathetic slashdotting if that's his full list of remote IPs asking for web pages, no? – voretaq7 Aug 05 '11 at 20:30

3 Answers3

14
  • netstat print network connections
  • -n show numerical address
  • grep :80 filter connections connect to port 80
  • cut -c 45- get only 4th and 5th column
  • cut -d: -f1 take the first field separate by colon
  • sort | uniq -c sort by IP address and count the numbers of unique IP
  • sort -rn reverse the numerical sort

You can use awk instead of cut -c 45- to get the 5th column only:

netstat -n | grep :80 | awk '{ print $5 }' | cut -d: -f1 | sort | uniq -c | sort -rn | head

About your result, it seems normal, no DDoS. Take a look at access_log for more details.

quanta
  • 51,413
  • 19
  • 159
  • 217
12

Quanta & DTest explained what the command does. Everyone will tell you that a few hundred connections does not a DoS make (talk to me when you have at least 5-10 thousand), and I'll expand on that by saying that in order for it to be a DDos you'd be seeing a lot more entries (probably with a lot more connections each) than what you're showing above.

When you have a problem with a server DO NOT jump to the exotic causes (DDoS, Cosmic Rays, Z0MG H4X0R3D!, etc.) -- Chances are you have a far more boring and mundane problem.

You say "it crashes" -- do you mean the whole server locks up, panics or otherwise requires a hard reboot?
If so, check your RAM (MemTest86+ or similar). That's usually the issue.

If it's not a real, hard crash start looking at the normal mundane troubleshooting items:

  • Run top
    • What is the load average? What is it when you have a problem?
    • How much swap are you using? Are you using more when you have a problem? (If so, memory leak!)
    • What programs are trying to get on the CPU?
  • Run your operating system's disk I/O information tools (Not a Debian guy, maybe someone can list 'em?)
    • Are you disk bound? (is the disk constantly using 100% of its bandwidth?)
  • Look at your network statistics
    • Are you hitting a bandwidth cap from your ISP?
  • Look at your ancillary programs, if applicable
    • Database Connections
    • Shared File Systems
    • Any other resource that may be locked/blocking when you need it
voretaq7
  • 79,879
  • 17
  • 130
  • 214
  • +1: except in cases of being hacked with vast numbers of cosmic rays, this is solid advice. – Sirex Aug 05 '11 at 17:25
  • @voretaq7 Thanks for the guide. I found this in the error log: [Fri Aug 05 05:31:58 2011] [error] [client 91.194.219.139] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:) – Muazam Aug 06 '11 at 03:09
2

The number is the number of unique entries for each ip (generated by uniq -c)

netstat -n will give you all the current network traffic, which you then pipe to grep :80, which only grabs connections on your web server. Next we cut out the leading part of the line with cut -c 45-, and then everything after the IP (starting at the colon) with cut -f 1 -d ':' then we sort it, get the unique IPs with a count (uniq -c) and then sort it in reverse order so the most IPs appear at the top.

This doesn't necessarily mean you are getting DDoS'd because the majority of traffic is coming from a single IP. Someone might be crawling your site for content or some other reason.

Derek Downey
  • 3,955
  • 4
  • 27
  • 29