This article talks about the issue of how to try to check for Distributed Denial of Service (DDoS) attacks from your server’s Command Line Interface (CLI).
Your website is slow, and you do not have access to any other analysis application tools, other than your CLI, to check for a potential DDoS attack. The symptoms of a DDoS attack can vary widely depending on your network configuration, software used, etc.
However, it is recommended that you utilize analysis software products that are specifically designed to help identify DDoS attacks.
There are multiple possible causes for a slow website, including a slowly performing server, high CPU usage, or misconfiguration in scripts, code, or cheap hardware. Sometimes it could be due to a DDoS attack. Two of the basic tools you have to check for a DDoS attack is your Adobe Commerce logs and your CLI.
Again it is important to note that using software specifically designed to identify DDoS attacks would be very useful in your investigation.
netstat
command: netstat -na
. This displays all active established connections to the server. Here you might be able to notice too many connections coming from the same IP address.netstat -an | grep :80 | sort
. You may repeat the same command for https on port 443: netstat -an | grep :443 | sort
. Another option is to extend the original command to both ports 80 and 443: netstat -an | egrep ":80|:443" | sort
.SYNC_REC
are occurring on the server, use the command: netstat -n -p|grep SYN_REC | wc -l
This is usually less than 5, but it could be much higher for a DDoS attack, though for some servers a higher number could be a normal condition.SYNC_REC
statuses, use the command: netstat -n -p | grep SYN_REC | sort -u
.SYNC_REC
statuses, use the command: netstat -n -p | grep SYN_REC | awk ‘{print $5}’ | awk -F: ‘{print $1}’
.netstat
command to count and calculate the number of connections that each IP address makes to your server: netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n
.netstat -anp |grep ‘tcp|udp’ | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n
.netstat -ntu | grep ESTAB | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -nr
.netstat -plan|grep :80|awk {‘print $5’}|cut -d: -f 1|sort|uniq -c|sort -nk 1
.Make sure you have someone to give proper analysis to the data you find to determine if you are in fact having a DDoS attack. Using the netstat
commands from your server CLI in these steps above will help you analyze if you are experiencing a DDoS attack, but using software analysis products that are specifically designed to help identify DDoS attacks, along with proper analysis, are your best tools to identify DDoS threats.
If you find that you are under DDoS attack, the steps you can take depend on your network configuration and how the DDoS attack is occurring, but general advice is to contact your ISP, get a new IP address for your server, and/or consult IT professionals skilled in handling DDoS issues to analyze and advise on your particular situation.