Unix shell commands to detect a DDoS attack and its source
Posted by Stanislav Furman
on April 25, 2014
Hello Coders!
In this article I'd like to show you a few handy Unix shell commands that would help you to detect if your server is (was) under DDoS/DoS attack. However, keep in mind, that protection from DDoS attacks is quite complex and if you are dealing with a massive DDoS attack, you would need to contact your IPS or Hosting Provider (i.e. 1&1) for assistance.
So. What do we work with? We can do some analysis based on your Apache access log data. Assuming you have a standard Apache access log, and you are running your website on Unix. Let's now get the total number of requests per day:
## Get number of requests per day:
awk '{print $4}' access.log | cut -d: -f1 | uniq -c
This will display you a list the total number of HTTP requests per day. See if you have any unusual increses comparing to other days. Now see the total number of requests per hour for a specific date (April 25th in this example):
## Get number of requests per hour:
grep "25/Apr" access.log | cut -d[ -f2 | cut -d] -f1 | awk -F: '{print $2":00"}' | sort -n | uniq -c
See when was the peak of requests to determine the time of attack. You can also get number of requests per minute (replace XX with the hour in hh format ):
## Get number of requests per minute:
grep "25/Apr/2014:XX" access.log | cut -d[ -f2 | cut -d] -f1 | awk -F: '{print $2":"$3}' | sort -nk1 -nk2 | uniq -c | awk '{ if ($1 > 10) print $0}'
Finnaly, let's try to determine the source of attack grabbing the list of IPs with number of requests from them:
## Get list of IPs:
awk '{!a[$1]++}END{for(i in a) if ( a[i] >10 ) print a[i],i }' access.log
List could be pretty long, so you might need to redirect the output to a file:
## Get list of IPs to a file
awk '{!a[$1]++}END{for(i in a) if ( a[i] >10 ) print a[i],i }' access.log > list_of_ips.txt
Now, when you have the list of unique IP addresses and number of requests from them, you can see the most "active" IP(s) that are sending requests the most. Make sure that this IP address does not belong to a search engine bot such as Google or Bing. You can do it by using one of those IP lookup services such as ip-lookup.net. If it is not a search bot, then ask your ISP or Hosting Provider to block access from this IP address.
If you are dealing with a minor DoS (denial-of-service) when someone is just scraping your website or trying to scan it, then you can simply block the IP using .htaccess file:
order deny,allow
deny from XXX.XXX.XXX.XXX
Keep in mind that these are just a few pretty basic commands that would give you an idea about HTTP requests that your server has gotten.
Leave your comment