Tuesday, March 8, 2011

How to Find and Check Number of Connections to a Server

Whenever a client connects to a server via network, a connection is established and opened on the system. On a busy high load server, the number of connections connected to the server can be run into large amount till hundreds if not thousands. Find out and get a list of connections on the server by each node, client or IP address is useful for system scaling planning, and in most cases, detect and determine whether a web server is under DoS or DDoS attack (Distributed Denial of Service), where an IP sends large amount of connections to the server. To check connection numbers on the server, administrators and webmasters can make use of netstat command.

Below is some of the example a typically use command syntax for ‘netstat’ to check and show the number of connections a server has. Users can also use ‘man netstat’ command to get detailed netstat help and manual where there are lots of configurable options and flags to get meaningful lists and results.

#netstat -na
 
Display all active Internet connections to the servers and only established connections are included.

#netstat -an | grep :80 | sort

Show only active Internet connections to the server at port 80 and sort the results. Useful in detecting single flood by allowing users to recognize many connections coming from one IP.

#netstat -n -p|grep SYN_REC | wc -l
 
Let users know how many active SYNC_REC are occurring and happening on the server. The number should be pretty low, preferably less than 5. On DoS attack incident or mail bombed, the number can jump to twins. However, the value always depends on system, so a high value may be average in another server.

#netstat -n -p | grep SYN_REC | sort -u
 
List out the all IP addresses involved instead of just count.

#netstat -n -p | grep SYN_REC | awk '{print $5}' | awk -F: '{print $1}'
 
List all the unique IP addresses of the node that are sending SYN_REC connection status.

#netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
 
Use netstat command to calculate and count the number of connections each IP address makes to the server.

#netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
 
List count of number of connections the IPs are connected to the server using TCP or UDP protocol.

#netstat -ntu | grep ESTAB | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr
 
Check on ESTABLISHED connections instead of all connections, and displays the connections count for each IP.

#netstat -plan|grep :80|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -nk 1
 
Show and list IP address and its connection count that connect to port 80 on the server. Port 80 is used mainly by HTTP web page request.

If you would like to prevent this kind of attack, you can configure the following IPTABLES rule on the server

#iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
#iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP




No comments:

Post a Comment