Here is a command line to run on your Linux server if you think your server is under attack.
It prints our a list of open connections to your server and sorts them by ammount.
RedHat/Centos: netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
BSD: netstat -na |awk '{print $5}' |cut -d "." -f1,2,3,4 |sort |uniq -c |sort -n
You can also check for connections by running the following command:
netstat -plan | grep :80 | awk '{print $4 }' | sort -n | uniq -c | sort
These are few step to be taken when you feel the server is under attack:
Step 1: Check the load using the command "w".
Step 2: Check which service is utilizing maximum CPU by "nice top".
Step 3: Check which IP is taking maximum connection by netstat -anpl|grep :80|awk {'print $5'}|cut -d":" -f1|sort|uniq -c|sort -n
Step 4: Then block the IP using firewall (APF or iptables "apf -d < IP>" )
You can also implement security features in your server like:
1) Install apache modules like mod_dosevasive and mod_security in your server.
2) Configure APF or CSF and IPTABLES to reduce the DDOS
3) Configure sysctl parameters in your server to drop attacks.
You can block the IP which is attacking your server using Ipsec from command prompt.
>> netsh ipsec static add filterlist name=myfilterlist
>> netsh ipsec static add filter filterlist=myfilterlist srcaddr=a.b.c.d dstaddr=Me
>> netsh ipsec static add filteraction name=myaction action=block
>> netsh ipsec static add policy name=mypolicy assign=yes
>> netsh ipsec static add rule name=myrule policy=mypolicy filterlist=myfilterlist filteraction=myaction
