# Many times we encounter a server such as cc or suffer syn attack, if you find yourself unusually slow access to websites and traffic anomaly. You can use the netstat command system built simple judgment about whether the server is attacked. Common netstat command
This command will display all active network connections.
#netstat -naView more simultaneously connected to which server IP, cc attack with. Or using a dual NIC adapter is available.
# netstat -an|awk '{print $4}'|sort|uniq -c|sort -nr|headSee which connect multiple IP connection to the server, you can view the connection abnormal IP.
#netstat -an|awk -F: '{print $2}'|sort|uniq -c|sort -nr|head80 show all network connection port and sorting. 80 port here is the http port, so it can be used to monitor web services. If you see the same IP connection of a large number of words can determine a single point of attack traffic.
#netstat -an | grep :80 | sort This command can find out the current server has SYNC_REC how many active connections. Normally this value is very small, preferably less than 5. Dos attack or when there are, this value is quite high. But some highly concurrent server, this value is really high, so high does not mean necessarily be attacked.
#netstat -n -p|grep SYN_REC | wc -l List all connected through the IP address.
#netstat -n -p | grep SYN_REC | sort -u It lists the IP addresses of all the nodes connected to the transmission SYN_REC.
#netstat -n -p | grep SYN_REC | awk '{print $5}' | awk -F: '{print $1}'Use netstat command to calculate the number of connections for each host connected to the machine.
#netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n It lists the number of all connected to the IP or UDP native TCP connection.
#netstat -anp |grep 'tcp|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n Check ESTABLISHED connection and lists the number of connections for each IP address.
#netstat -ntu | grep ESTAB | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr List all the machine 80 is connected to the port and IP address of its connections. Port 80 is typically used to process HTTP page request.
#netstat -plan|grep :80|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -nk 1 80 shows the connection port prior to ip 10, and displays the number of connections for each IP. 80 port here is the http port, so it can be used to monitor web services. If you see the same IP connection of a large number of words can determine a single point of attack traffic.
#netstat -antp | awk '$4 ~ /:80$/ {print $4" "$5}' | awk '{print $2}'|awk -F : {'print $1'} | uniq -c | sort -nr | head -n 10