Pre-analysis of a DDOS attack on a Cpanel or Linux server

Determine the nature of the attack (SYN, GET, ect):

netstat -nat | awk '{print $6}' | sort | uniq -c

The following will list all the IPs connecting to the server in order of most connections.

netstat -plan|grep :80|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -nk 1

We can see which domains are most active (in the case of a GET style attack):

cd /usr/local/apache/domlogs/
ls -ltr |tail -50

Then, we can see which IPs are active on a particular domain and take appropriate action (drop in firewall, ect):

cd /usr/local/apache/domlogs/
tail -f <domainname> | awk {'print $1'}

Comments are closed.