1

Cacti shows irregular and pretty steady high bandwidth to my server (40x the normal) so I guess the server is udnder some sort of DDoS attack. The incoming bandwidth has not paralyzed my server, but of course consuming the bandwidth and affects performance so I am keen to figure out the possible culprits IPs add them to my deny list or otherwise counter them. When I run:

netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

I get a long list of IPs with up to 400 connections each. I checked the most numerous occurring IPs but they come from my CDN. So I am wondering what is the best way to help monitor the requests that each IP make in order to pinpoint the malicious ones. I am using Ubuntu server.

Thanks

alfish
  • 3,127
  • 15
  • 47
  • 71

1 Answers1

2

Assuming it is a web server and the connections are on port 80/443, check your Apache/Web server logs to see what the user-agent is. You will probably find it is a search engine bot. The number of crawl bots (malicious, genuine and borderline) has increased substantially over the years and can cause the exact behaviour you see.

I'm guessing you pulled the command posted from http://www.cyberciti.biz/tips/netstat-command-tutorial-examples.html, but if not, it contains some interesting commands.

Once you think you have identified a problematic IP, then the next best step would be to inspect the traffic. You can do this using tcpdump

tcpdump -i eth0 host 192.168.1.3 and port 80 -n -s 0 -vvv -w ~/tcpdump.cap

Then open the tcpdump with Wireshark and review it with ease

Ben Lessani
  • 5,244
  • 17
  • 37