I am currently experiencing some attacks on my OpenVZ server (CentOS 6.3 64bit), which is saturating the public ethernet interface (currently accessing SSH via the private interface).
Is it possible to display the IP addresses with the most inbound connections on the system to find the targeted VM so I can add it to our nullroute list on the router?
Asked
Active
Viewed 3,535 times
0
Justin
- 222
- 4
- 12
2 Answers
6
I'm not sure if the VM IP addresses show up when you run Netstat, but if they do, this will show you the local addresses with the most TCP connections, sorted by number of connections:
netstat -nt | awk '/^tcp/ {print $4}' | awk -F: '{print $1}' | sort | uniq -c | sort -n
If you wanted to see the top external addresses with open connections, replace the $4 with $5:
netstat -nt | awk '/^tcp/ {print $5}' | awk -F: '{print $1}' | sort | uniq -c | sort -n
Johnny
- 337
- 1
- 8
-
It's worth noting that this ignores the *state* of the connection and which end initiated the connection. It also has no relationship to the number of packets or bytes sent through the connection. – Ladadadada Apr 20 '13 at 06:56
1
My alternative with more details (number of connections, source IP, source port, destination IP, connection state):
netstat -nat | awk '{print $4":"$5":"$6}' | awk -F: '{print $1":"$2" "$3" "$5}' | sort | uniq -c | sort -nr | head
OR
ss -nat | awk '{print $4":"$5":"$1}' | awk -F: '{print $1":"$2" "$3" "$5}' | sort | uniq -c | sort -nr | head
maxo
- 11
- 3
-
Hi maxo and welcome on SF. Please take a look at [How to write a good answer](https://serverfault.com/help/how-to-answer) in the help section of the site. I won't touch it, but in your place I'd edit it following these advices. – Marco Oct 02 '17 at 04:36
-
This works way better than the accepted answer to filter through lots of connections. Remove the `n` from `-nat` if you'd like to see real hostnames – bbodenmiller May 25 '18 at 00:03