1. Home
  2. Forums Index
  3. WebmasterWorld / Webmaster General 9:16 pm May 21, 2026

Forum Moderators: phranque

Message Too Old, No Replies

Detect which IPs are attacking with netstat

         

intellivision

6:48 pm on Apr 30, 2009 (gmt 0)

10+ Year Member



My host tells me my virtual private server (CentOS w/ Plesk) is slowing because it's getting hammered by DOS-style attacks. He told me to use netstat to find the IP addresses that are overloading the server with requests, then block them in the firewall.

The firewall works, but I don't know how to find out which IPs to block.

Here's a small example, in which the IPs have been changed:

[root ~]# netstat ¦ grep tcp
tcp 0 0 mydomain.com:http pool-1.1.1.1.ph:55479 TIME_WAIT
tcp 0 0 mydomain.com:http pool-1.1.1.1.ph:55478 TIME_WAIT
tcp 0 0 mydomain.com:http pool-1.1.1.1.ph:55477 TIME_WAIT
tcp 0 0 mydomain.com:http pool-1.1.1.1.ph:55487 TIME_WAIT
tcp 0 0 mydomain.com:http pool-1.1.1.1.ph:55486 TIME_WAIT
tcp 0 0 mydomain.com:http pool-1.1.1.1.ph:55485 TIME_WAIT
tcp 0 0 mydomain.com:http pool-1.1.1.1.ph:55485 TIME_WAIT
tcp 0 0 mydomain.com:http pool-1.1.1.1.ph:55484 TIME_WAIT
tcp 0 0 mydomain.com:http pool-1.1.1.1.ph:55483 TIME_WAIT
tcp 0 0 mydomain.com:http pool-1.1.1.1.ph:55482 TIME_WAIT
tcp 0 0 mydomain.com:http pool-1.1.1.1.ph:55481 TIME_WAIT
tcp 0 0 mydomain.com:http pool-1.1.1.1.ph:55480 TIME_WAIT
tcp 0 0 mydomain.com:http 1.1.1.2:4276 TIME_WAIT
tcp 0 0 mydomain.com:http 1.1.in-addr.arpa:1493 TIME_WAIT
tcp 0 0 mydomain.com:http 1.1.in-addr.arpa:1495 TIME_WAIT

Should I block requests from 1.1.1.1? Is that the bad guy? Should I look for patterns like that?

LifeinAsia

6:56 pm on Apr 30, 2009 (gmt 0)

WebmasterWorld Administrator 10+ Year Member Top Contributors Of The Month



Try netstat -n to get the IP addresses.

lammert

8:31 am on May 1, 2009 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



Don't block all IPs you see in netstat. If you block your own, you won't be able to access your server again. Furthermore some browsers and legitimate proxies access your site with 10 or more concurrent connections, which may look suspicious but in reality isn't. Blocking these IPs may block legitimate visitors.

You should repeatedly call netstat -n and look for patterns. Often DOS attacks don't complete the synchronization phase and let the connection stay in a state called SYNC_WAIT. The goal is to fill your TCP connections buffer which will make new connections impossible. If you see more than one connection from a specific IP which stay in this state, it is probably an attacker.

You should still be careful, because SYNC_WAIT is a legitimate state for all TCP connections which lasts for a period of about 100 msec before the real connection is established, so you may see once in a while normal connections in this state.

intellivision

7:13 pm on May 4, 2009 (gmt 0)

10+ Year Member



SYNC_WAIT == TIME_WAIT?

I haven't seen any SYNC_WAIT but many (many) TIME_WAITs.

But then again I haven't caught the attacks "live" since I posted this, so the netstat results haven't come -- I don't think -- at the right moments.

Guys, thanks.

eeek

12:30 am on May 5, 2009 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



SYNC_WAIT == TIME_WAIT?

TIME_WAIT is closed connections. You would normally see those and there can be quite a few.

intellivision

6:10 pm on May 5, 2009 (gmt 0)

10+ Year Member



Thanks eeek. I ran netstat just now (server is sluggish) and 559 of 582 connections are TIME_WAIT.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. WebmasterWorld / Webmaster General 9:16 pm May 21, 2026