🐧 How to quickly check if your Linux server is under DoS attack from one IP address

If you have Linux servers in your data center, or are hosted on a cloud server (such as AWS, Google Cloud, or Azure), you cannot guarantee that they are secure just because of the operating system you deploy.

While Linux is one of the most secure operating systems on the market, it isn’t perfect.

In fact, attacks on this platform are on the rise and will continue to grow as the popularity of Linux grows.

What to do?

If you suspect that one of your servers may be attacked, you need to check it.

But how?

In this article, I’m going to show you a few commands to help you determine if your server is undergoing a denial of service (DoS) attack that comes from a single IP address and tries to crash a website to indicate that its server is down. …

There is another form of this attack, Distributed Denial of Service (DDoS), which comes from multiple sources.

Let’s find out how to determine if your Linux server is the target of a DoS attack.

What do you need

The only thing you need to do this is a Linux server and a user with sudo privileges.

I will be demonstrating on Ubuntu Server 20.04.

We are going to use the netstat tool to find out what IPs are currently connected to your server. To install netstat on Ubuntu, you actually install net-tools, for example:

sudo apt-get install net-tools -y

If you are using CentOS or a Red Hat based installation, netstat should already be installed.

The first thing we’re going to do is check the load on our server.

The command we will use for this will return the number of logical processors (threads).

On the server, this number should be pretty low, but it depends on what you are running.

If you know everything is in order, make sure your number is off the charts and record the number.

If you suspect something is happening, run the flow check again and compare the results.

To check the number of logical processors, enter the command:

grep processor /proc/cpuinfo | wc -l

If this number is significantly higher than your baseline, you may be in trouble.

For example, on my Pop! _OS I have 16 threads, but on a Nextcloud hosted Ubuntu server I only have two.

If any of these numbers doubled, I could be exposed to a DDoS attack.

How to check the load on your network

Next, we will check the load on our network.

It can be done with a number of tools, but I choose nload.

To install nload, enter the command:

sudo apt-get install nload -y

On CentOS, this command would be:

sudo dnf install nload -y

To run the tool, just enter the command:


🐧 How to quickly check if your Linux server is under DoS attack from one IP address

If this load is significantly higher than you think, you may be attacked.

How to find out which IP addresses are connected to your server

The next thing you need to do is find out which IPs are connected to your server.

For this we will use netstat like this:

netstat -ntu|awk '{print $5}'|cut -d: -f1 -s|sort|uniq -c|sort -nk1 -r

The output from the above command will list each IP address connected to the server and the number of instances of each. Be sure to review this list carefully. If you see an IP address with a large number of instances (more than 100), the chances are high that the address is the culprit for the load. Once you are sure of culpability, you can block the IP address with the command:

sudo route add ADDRESS reject

Where ADDRESS is the suspect’s IP address.

At this point, go back and recheck your flows, connected IPs, and network load to see if you mitigated this DoS attack. If so, it’s time to report your intended IP address and probably deny it completely from your network. Next time, I’ll show you the process of preventing a DDoS attack. Stay with us!