How to find malicious IPs?
Posted
by
alfish
on Server Fault
See other posts from Server Fault
or by alfish
Published on 2012-03-15T20:23:55Z
Indexed on
2012/07/07
9:18 UTC
Read the original article
Hit count: 208
Cacti shows irregular and pretty steady high bandwidth to my server (40x the normal) so I guess the server is udnder some sort of DDoS attack. The incoming bandwidth has not paralyzed my server, but of course consuming the bandwidth and affects performance so I am keen to figure out the possible culprits IPs add them to my deny list or otherwise counter them. When I run:
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
I get a long list of IPs with up to 400 connections each. I checked the most numerous occurring IPs but they come from my CDN. So I am wondering what is the best way to help monitor the requests that each IP make in order to pinpoint the malicious ones. I am using Ubuntu server.
Thanks
© Server Fault or respective owner