Determine the nature of the attack (SYN, GET, ect):
netstat -nat | awk '{print $6}' | sort | uniq -cThe following will list all the IPs connecting to the server in order of most connections.
netstat -plan|grep :80|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -nk 1We can see which domains are most active (in the case of a GET style attack):
cd /usr/local/apache/domlogs/
ls -ltr |tail -50Then, we can see which IPs are active on a particular domain and take appropriate action (drop in firewall, ect):
cd /usr/local/apache/domlogs/
tail -f <domainname> | awk {'print $1'}
Comments are closed.