DEV Community

Cover image for Linux commands to analyze DDoS attacks
Fernando Muller Junior
Fernando Muller Junior

Posted on

Linux commands to analyze DDoS attacks

Introduction

DDOS (Distributed Denial of Service) attacks are a constant threat to online security and can cause significant damage to companies and individuals. Fortunately, the Linux operating system offers a number of powerful commands that can be used to analyze and mitigate these types of attacks. In this article, we will explore some of the main linux commands that can be used to identify and combat ddos attacks, helping to keep your infrastructure secure.

DDoS attacks

Monitoring Network Traffic

One of the first steps in dealing with a DDOS attack is to understand what is happening on your network. The netstat command is an essential tool for this purpose, allowing you to view active connections and network traffic in real time. You can use the following command to get detailed information about connections:


 netstat -antp 

Enter fullscreen mode Exit fullscreen mode

This command will display information such as the protocol, IP address and port of each active connection.

Identifying Suspicious IP Addresses

Another way to detect a DDOS attack is to look for IP addresses that are sending an abnormally high volume of traffic. The iptables command can be used to monitor and block these suspicious IP addresses. For example, the following command will list all active TCP connections and display the number of packets sent by each IP address:


 iptables -L -n -v --line-numbers | grep "tcp" 

Enter fullscreen mode Exit fullscreen mode

You can then use this command to identify the IP addresses that are sending an excessive amount of traffic and add them to a block list.

Analyzing System Logs with Grep and Awk

Linux system logs can also provide valuable information about DDOS attacks. You can use the grep and awk commands to filter and analyze these logs. For example, the following command will display the last 20 lines of the system log, looking for suspicious traffic patterns and displaying the IP address and number of occurrences:


 tail -n 20 /var/log/syslog | grep -E "refused|dropped|blocked" | awk '{print $11, $12, $13, $14, $15}' | sort | uniq -c | sort -nr 

Enter fullscreen mode Exit fullscreen mode

Identifying Suspicious IP Addresses with fail2ban

fail2ban is an advanced utility that monitors system logs and automatically blocks IP addresses that exhibit suspicious behavior. You can configure it to monitor specific logs, such as the firewall log, and define custom rules to detect and block DDOS attacks. Here is an example of how to configure fail2ban to monitor the iptables log:



[ddos-protection]
enabled = true
filter = ddos-protection
action = iptables-multiport[name=DDOS, port="http,https"]
logpath = /var/log/iptables.log
maxretry = 5


Enter fullscreen mode Exit fullscreen mode

fail2ban

Monitoring Network Traffic with tcpdump

To get a more detailed view of network traffic, the tcpdump command is an essential tool. It allows you to capture and analyze network packets in real time. For example, the following command will capture all network traffic on the eth0 interface and save it to a file:


tcpdump -i eth0 -w ddos_capture.pcap
Enter fullscreen mode Exit fullscreen mode




Analyzing Performance Metrics with Prometheus

To get a comprehensive view of your infrastructure's performance during a DDOS attack, you can use Prometheus, an advanced monitoring and alerting system. Prometheus collects metrics from various services and components, allowing you to analyze trends and identify anomalies. You can configure it to monitor metrics such as CPU usage, memory, network traffic and much more.

Here's an example of how you can use Prometheus to monitor network traffic on a specific interface:



node_network_receive_bytes_total{device="eth0"}

Enter fullscreen mode Exit fullscreen mode




Conclusion

The linux commands presented in this article are just a few examples of how you can use the Linux operating system to analyze and combat ddos attacks. By mastering these tools, you will be better prepared to keep your infrastructure safe and secure against cyber threats.
To find out more about useful linux commands, check out the detailed article at https://devopsmind.com.br/en/linux-en-us/bash-terminal-commands-cheat-sh/.
Stay vigilant and keep your network safe!

Top comments (0)