The server performance can degrade due to hardware failure, scripts, web application, Network latency increase, Bandwidth congestion, inconsistent file system or DDoS (Distributed Denial of Service) attack. DDos is an attack which flooding your server with traffic. It targets not only to the servers but also websites, network resources to denial of service for users.

To verify this attack on Linux/CentOS server command is netstat. We will show you in this article how to check attack on the server.

You may refer netstat man page.
netstat – Print network connections, routing tables, interface statistics, masquerade connections, and multicast memberships

Some useful commands to check the connections establish on the server.

netstat -na

This command will print all active connections to the server.

netstat -an | grep :80 | sort

It will show all internet connections on port 80 to the server. This is port of web server (http). Useful to get a list of sorted IPs and if you notice any particular IP repeated a couple of times so most probably DDos initiated from that IP.

netstat -n -p|grep SYN_REC | wc -l

This command will show count of all active SYNC_REC connections. The number should be pretty low during normal behaviour. During the DDOS this count should increase to pretty high.

netstat -plan|grep :80|awk {‘print $5’}|cut -d: -f 1|sort|uniq -c|sort -nk 1

Print all port 80 connections and it’s count

netstat -n -p | grep SYN_REC | sort -u

Using soft function show list of all IPs instead of count.

netstat -n -p | grep SYN_REC | awk ‘{print $5}’ | awk -F: ‘{print $1}’

Print all SYN_REC connection status

netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n

This will calculate and count the number of connections from each IP address connected to the server.

netstat -ntu | grep ESTABLISHED | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -nr

this will check all ESTABLISHED connection and its count of each IP

Basic DDOS mitigation with the CSF firewall.

There is no way to prevent a DDOS attack against any server connected to the internet. The CSF firewall can help to mitigate number of connections to the server.
This firewall gives facility to set the limit on connections per IP address. It will send you an email whenever it will block any IPs to the server. Also, it gives SYNflood Protection.