{"id":986,"date":"2013-01-24T04:36:49","date_gmt":"2013-01-24T10:36:49","guid":{"rendered":"http:\/\/blog.supportpro.com\/?p=986"},"modified":"2026-03-26T22:32:26","modified_gmt":"2026-03-27T04:32:26","slug":"how-to-verify-ddos-attack-with-netstat-command","status":"publish","type":"post","link":"https:\/\/www.supportpro.com\/blog\/how-to-verify-ddos-attack-with-netstat-command\/","title":{"rendered":"How to verify DDOS attack with netstat command?"},"content":{"rendered":"\n<p>Denial-of-service attack (DoS attack) or Distributed Denial-of-service attack (DDoS attack) is an attempt to make a machine or network resource unavailable to its intended users. This attack generally target sites or services hosted on high-profile web servers such as banks, credit card payment gateways, and even root nameservers. DoS attacks are implemented by either forcing the targeted computer to reset, or consuming its resources so that it can no longer provide its services or obstructs the communication media between the users and the victim so that they can no longer communicate adequately.<\/p>\n\n\n\n<p>This blog provides you an overview on how to identify DDOS attack using netstat command.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>#netstat -na<\/code><\/pre>\n\n\n\n<p>Display all active Internet connections to the server and only established connections are included.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>#netstat -an | grep :80 | sort<\/code><\/pre>\n\n\n\n<p>Show only active Internet connections to the server on port 80 and sort the results. Useful in detecting a single flood by allowing you to recognize many connections coming from one IP.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>#netstat -n -p|grep SYN_REC | wc -l<\/code><\/pre>\n\n\n\n<p>To find out how many active SYNC_REC are occurring on the server. The number should be pretty low, preferably less than 5. On DoS attack incidents or mail bombs, the number can jump to pretty high. However, the value always depends on system, so a high value may be average on another server.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>#netstat -n -p | grep SYN_REC | sort -u<\/code><\/pre>\n\n\n\n<p>List all IP addresses involved.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>#netstat -n -p | grep SYN_REC | awk '{print $5}' | awk -F: '{print $1}'<\/code><\/pre>\n\n\n\n<p>List all the unique IP addresses of the nodes that are sending SYN_REC connection status.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>#netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n<\/code><\/pre>\n\n\n\n<p>Use netstat command to calculate and count the number of connections each IP address makes to the server.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>#netstat -anp |grep 'tcp\\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n<\/code><\/pre>\n\n\n\n<p>List the number of connections the IPs are making to the server using TCP or UDP protocol.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>#netstat -ntu | grep ESTAB | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr<\/code><\/pre>\n\n\n\n<p>Check on ESTABLISHED connections instead of all connections, and display the number of connections for each IP.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>#netstat -plan|grep :80|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -nk 1<\/code><\/pre>\n\n\n\n<p>Show a list IP addresses and its number of connections that are connecting to port 80 on the server. Port 80 is used mainly by the HTTP protocol.<\/p>\n\n\n\n<p>If you require help, <a href=\"https:\/\/www.supportpro.com\/requestquote.php\">contact SupportPRO Server Admin<\/a><span id=\"hs-cta-wrapper-9d590242-d641-4383-94b4-8cfd62f0af6b\" class=\"hs-cta-wrapper\"><span id=\"hs-cta-9d590242-d641-4383-94b4-8cfd62f0af6b\" class=\"hs-cta-node hs-cta-9d590242-d641-4383-94b4-8cfd62f0af6b\"><a href=\"https:\/\/cta-redirect.hubspot.com\/cta\/redirect\/2725694\/9d590242-d641-4383-94b4-8cfd62f0af6b\"><\/a><\/span><\/span><\/p>\n\n\n\n<div class=\"wp-block-media-text alignwide has-media-on-the-right is-stacked-on-mobile is-vertically-aligned-center has-white-background-color has-background\"><div class=\"wp-block-media-text__content\">\n<p class=\"has-large-font-size\">Facing issues? <\/p>\n\n\n\n<p class=\"has-large-font-size\">Our technical support<br>engineers can solve it. <\/p>\n\n\n\n<!--HubSpot Call-to-Action Code --><span class=\"hs-cta-wrapper\" id=\"hs-cta-wrapper-3350a795-db50-482f-9911-301930d1b1be\"><span class=\"hs-cta-node hs-cta-3350a795-db50-482f-9911-301930d1b1be\" id=\"hs-cta-3350a795-db50-482f-9911-301930d1b1be\"><!--[if lte IE 8]><div id=\"hs-cta-ie-element\"><\/div><![endif]--><a href=\"https:\/\/cta-redirect.hubspot.com\/cta\/redirect\/2725694\/3350a795-db50-482f-9911-301930d1b1be\" ><img decoding=\"async\" class=\"hs-cta-img\" id=\"hs-cta-img-3350a795-db50-482f-9911-301930d1b1be\" style=\"border-width:0px;\" src=\"https:\/\/no-cache.hubspot.com\/cta\/default\/2725694\/3350a795-db50-482f-9911-301930d1b1be.png\"  alt=\"Contact Us today!\"\/><\/a><\/span><script charset=\"utf-8\" src=\"https:\/\/js.hscta.net\/cta\/current.js\"><\/script><script type=\"text\/javascript\"> hbspt.cta.load(2725694, '3350a795-db50-482f-9911-301930d1b1be', {\"useNewLoader\":\"true\",\"region\":\"na1\"}); <\/script><\/span><!-- end HubSpot Call-to-Action Code -->\n<\/div><figure class=\"wp-block-media-text__media\"><img fetchpriority=\"high\" decoding=\"async\" width=\"904\" height=\"931\" src=\"https:\/\/www.supportpro.com\/blog\/wp-content\/uploads\/2022\/09\/Free-server-checkup.png\" alt=\"guy server checkup\" class=\"wp-image-12943 size-full\" srcset=\"https:\/\/www.supportpro.com\/blog\/wp-content\/uploads\/2022\/09\/Free-server-checkup.png 904w, https:\/\/www.supportpro.com\/blog\/wp-content\/uploads\/2022\/09\/Free-server-checkup-291x300.png 291w, https:\/\/www.supportpro.com\/blog\/wp-content\/uploads\/2022\/09\/Free-server-checkup-768x791.png 768w, https:\/\/www.supportpro.com\/blog\/wp-content\/uploads\/2022\/09\/Free-server-checkup-585x602.png 585w\" sizes=\"(max-width: 904px) 100vw, 904px\" \/><\/figure><\/div>\n","protected":false},"excerpt":{"rendered":"<p>Denial-of-service attack (DoS attack) or Distributed Denial-of-service attack (DDoS attack) is an attempt to make a machine or network resource unavailable to its intended users. This attack generally target sites&hellip;<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_lmt_disableupdate":"","_lmt_disable":"","footnotes":""},"categories":[4],"tags":[],"class_list":["post-986","post","type-post","status-publish","format-standard","hentry","category-server-security"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.supportpro.com\/blog\/wp-json\/wp\/v2\/posts\/986","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.supportpro.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.supportpro.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.supportpro.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.supportpro.com\/blog\/wp-json\/wp\/v2\/comments?post=986"}],"version-history":[{"count":10,"href":"https:\/\/www.supportpro.com\/blog\/wp-json\/wp\/v2\/posts\/986\/revisions"}],"predecessor-version":[{"id":16700,"href":"https:\/\/www.supportpro.com\/blog\/wp-json\/wp\/v2\/posts\/986\/revisions\/16700"}],"wp:attachment":[{"href":"https:\/\/www.supportpro.com\/blog\/wp-json\/wp\/v2\/media?parent=986"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.supportpro.com\/blog\/wp-json\/wp\/v2\/categories?post=986"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.supportpro.com\/blog\/wp-json\/wp\/v2\/tags?post=986"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}