DZone Snippets is a public source code repository. Easily build up your personal collection of code snippets, categorize them with tags / keywords, and share them with the world

Snippets has posted 5883 posts at DZone. View Full User Profile

Looking Into DOS And DDOS Attacks

01.21.2006
| 2128 views |
  • submit to reddit
        <a href="http://etechsupport.net/forum/showthread.php?t=434">A good guide to what to do when your server is attacked</a>.

top -d2
netstat -nap | grep SYN | wc -l
netstat -nap | less

If there are many httpd processes showing up after step 1, you might be under attack. If you get high numbers for the second one, you are almost definitely under attack. Use the third one to see the IP addresses, and then ban them from the server:

iptables -A INPUT -s ip.address -j DROP

Also try the following for fixing stuff:
cd /dev/shm
ls

And delete anything that's not supposed to be there.

locate bindz
locate botnet.txt
locate dc
locate ex0.pl
locate kaiten
locate r0nin
locate udp.pl
locate ...
lsof | grep .,
locate mybot