This will look at the currently active connections to see if there are any IPs connecting to port 80. You might need to alter the cut -c 45- as the IP address may not start at column 45. If someone was doing a UDP flood to your webserver, this would pick it up as well.
On the off chance that neither of these show any IPs that are excessively out of the norm, you would need to assume that you have a botnet attacking you and would need to look for particular patterns in the logs to see what they are doing. A common attack against wordpress sites is:
GET /index.php? HTTP/1.0
If you look through the access logs for your website, you might be able to do something like:
would allow you to see common UserAgents. It is possible that they are using a single UserAgent in their attack.
The trick is to find something in common with the attack traffic that doesn't exist in your normal traffic and then filter that through iptables, mod_rewrite or upstream with your webhost. If you are getting hit with Slowloris, Apache 2.2.15 now has the reqtimeout module which allows you to configure some settings to better protect against Slowloris.
My favorite log files to check for DOS attacks are /var/log/secure(under Redhat/Centos/Fedora....) and /var/log/auth.log (under ubuntu,debian...). You will see failed login attempts made from the attacker's source IP, most of the times dictionary based attacks.
I think the log is under /var/log/apache2/access.log with Ubuntu... Possibly Debian as well.
Run updatedb as sudo then locate access.log from the command line.
EDIT: I believe though this will only happen if they are hitting you either by requesting pages or directly through port 80. If they are hitting other ports you won't see the info you need there you will need to check and see which process is running on that port and have a look at the connection logs for that process.
If you're under a distributed DOS there is certainly far more than one IP to block and IPs may be forged, you're better of asking your ISP as mfinni said. Also this may be more than a DOS against your server but a decoy to hide the real attack from being detected, so check that all your exposed services are run by up to date software. You may also be interested in mod_dosevasive for apache.
in order to protect my server I use Fail2Ban a simple script
scans log files like
/var/log/pwdfail or
/var/log/apache/error_log and bans IP
that makes too many password failures.
It updates firewall rules to reject
the IP address.
First you have to determine the type of DOS. Some attacks are very stealthy but effective (slowloris) , some of them are so heavy that could bring an ISP down (ICMP flood from a higher bandwidth than your ISP source).
After you determine the type of the DOS, call your ISP and ask them if they can filter out the traffic.
I've seen ICMP floods so heavy that we had to ask the upstream ISP to filter out the destination IP via a BGP community.
Take a look at the top IP addresses. If any stand out from the others, those would be the ones to firewall.
This will look at the currently active connections to see if there are any IPs connecting to port 80. You might need to alter the cut -c 45- as the IP address may not start at column 45. If someone was doing a UDP flood to your webserver, this would pick it up as well.
On the off chance that neither of these show any IPs that are excessively out of the norm, you would need to assume that you have a botnet attacking you and would need to look for particular patterns in the logs to see what they are doing. A common attack against wordpress sites is:
If you look through the access logs for your website, you might be able to do something like:
which would show you the most commonly hit URLs. You might find that they are hitting a particular script rather than loading the entire site.
would allow you to see common UserAgents. It is possible that they are using a single UserAgent in their attack.
The trick is to find something in common with the attack traffic that doesn't exist in your normal traffic and then filter that through iptables, mod_rewrite or upstream with your webhost. If you are getting hit with Slowloris, Apache 2.2.15 now has the reqtimeout module which allows you to configure some settings to better protect against Slowloris.
FYI - You should try to work with your ISP to see if they can block it upstream of you.
Some good tips here. I'd also add this:
Put this under an alias (nn, for instance). This will give you a "graphical" perspective of the ips with more established connections.
Hope this helps.
For those who couldn't get this to work I have fixed the syntax so it runs for me under Ubuntu:
My favorite log files to check for DOS attacks are /var/log/secure(under Redhat/Centos/Fedora....) and /var/log/auth.log (under ubuntu,debian...). You will see failed login attempts made from the attacker's source IP, most of the times dictionary based attacks.
Which distro?
I think the log is under /var/log/apache2/access.log with Ubuntu... Possibly Debian as well.
Run updatedb as sudo then locate access.log from the command line.
EDIT: I believe though this will only happen if they are hitting you either by requesting pages or directly through port 80. If they are hitting other ports you won't see the info you need there you will need to check and see which process is running on that port and have a look at the connection logs for that process.
If you're under a distributed DOS there is certainly far more than one IP to block and IPs may be forged, you're better of asking your ISP as mfinni said. Also this may be more than a DOS against your server but a decoy to hide the real attack from being detected, so check that all your exposed services are run by up to date software. You may also be interested in mod_dosevasive for apache.
you could use tcpdump to see which address it is $tcpdump -vv port X if you suspect a particular port
in order to protect my server I use Fail2Ban a simple script
http://www.fail2ban.org/wiki/index.php/Main_Page
First you have to determine the type of DOS. Some attacks are very stealthy but effective (slowloris) , some of them are so heavy that could bring an ISP down (ICMP flood from a higher bandwidth than your ISP source).
After you determine the type of the DOS, call your ISP and ask them if they can filter out the traffic.
I've seen ICMP floods so heavy that we had to ask the upstream ISP to filter out the destination IP via a BGP community.