Linux Server under DDOS Attack

To find out what IP is causing the DDOS, we can run the next command:

tail -n 10000 logfile.log | cut -f 1 -d ' ' | sort | uniq -c | sort -nr | more

The top IP addresses would be the ones to block.

Another way is looking at what resources are being requested:

cut -f 2 -d '"' logfile.log | cut -f 2 -d ' ' | sort | uniq -c | sort -nr | more

It’s probably you will see that they are trying to request a specific resource know as a common attack. For example, a common attack to wordpress would be:

GET /index.php? HTTP/1.0
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s