When my server is slow, I have been told to run this command and check if someone is making a request of SYN_RECV to slow down my server:
netstat -npt | grep SYN_RECV | awk '{print $5}' | grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' | cut -d: -f1 | sort | uniq -c | sort -nr | head | tee -a $REPORT_FILE
Example of output:
Single attack IP - DOS:
262 187.7.214.146
1 95.90.250.96
1 83.215.15.150
1 203.160.112.239
1 124.197.39.213
Multiple attack IPs - DDOS:
316 187.7.214.146
94 187.7.214.96
44 187.7.214.150
90 203.160.112.239
22 203.160.112.222
I read somewhere that if the number of SYN_RECV request of an IP is more than 4 then, it's consider to make SYN flood attack (DOS). I have few questions:
1) What is the exact number that we can declare an IP(DOS) or IPs (DDOS) are making the attack when using this netstat command ? If the IP is connecting with SYN_RECV state, does that mean he is doing SYN flood attack? Can it be false flag ?
2) IS SYN_RECV is the only listening state that a DDOS attacker used? What about the ESTABLISHED state ? I'm confused because other articles said that if some foreign IPs are connected with ESTABLISHED state, then my server is being attacked. What kind of attack
3) I ask this question because I want to make a simple bash script that can manually report if the IP is an attacker and I have been told to use the SYN_RECV state to evaluate the attacker. Is that the only state we can use?. What is the minimum value of SYN_RECV value that can be considered as safe (NOT DOS ATTACKER)?
Hopefully that my question is clear. Please ask me if something is not clear.
Thank you and I hope somebody could answer this nightmare.
Denial Of Service happens when an ip address (attacker) sends high volume of SYN packet to your server, and your server then set to respond to each of the packet and leave the port open (ready to receive response). Your server needs to have ACK packet to close the response properly using ACK packet but the ACK packet never arrives from the attacker, he continues to send more SYN packets which open more new port connections for certain length of time and end up filling up all the available ports which slow down your server. So an IP with SYN_RECV request means he is sending bad packet to your server so yes, it is a DOS attack but with that number 4, it is considered a tiny DOS attack which might have no negative impact for server with huge resources.
For this, actually there are many type of DOS or DDOS attacks, SYN_FLOOD is just the name of a popular SYN FLOOD Attack.
Doing manual DDOS mitigation is not good in production server. You could use some other built-in automation solutions like
Suricataor cloudflare for this.SYN FLOOD DDOS ATTACK - CLOUD FLARE