Answer:A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a computer resource unavailable to its intended users.

You can always use netstat command to get list of connections under Windows. Open command prompt by visiting Start > Run > Type “cmd” in box.

netstat is a command line utility which displays protocol statistics and current TCP/IP network connections in a system. Type the following command to see all connections:
netstat -noa
Where,

1. n: Displays active TCP connections, however, addresses and port numbers are expressed numerically and no attempt is made to determine names.
2. o: Displays active TCP connections and includes the process ID (PID) for each connection. You can find the application based on the PID on the Processes tab in Windows Task Manager.
3. a: Displays all active TCP connections and the TCP and UDP ports on which the computer is listening.

You can use find command as filter to searches for a specific string of text in a file. In the following example you are filtering out port 80 traffic:
netstat -ano | find /c "80"
Find the IP address which is having maximum number of connection and block it using Cisco firewall or IPSec. Another protective measurement is to harden the TCP/IP stack.

Incoming search terms:

• ddos programing (1)
• detecting dos on web server (1)
• netstat cmd udp tcp ip (1)

A quick and usefull command for checking if a server is under ddos is:

netstat -anp |grep ‘tcp\|udp’ | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n

That will list the IPs taking the most amount of connections to a server. It is important to remember that the ddos is becoming more sophistcated and they are using fewer connections with more attacking ips. If this is the case you will still get low number of connections even while you are under a DDOS.

Incoming search terms:

• check network connections ddos linux (1)
• find open network conections centos cpanel (1)
• how to check number of system in network (1)
• how to grep which subdomain was ddosed (1)
• network ddos linux (1)

netstat -n --tcp --udp --numeric-hosts | \
grep -v 127.0.0.1 | \
awk '{if (/(tcp|udp)/) { print $5 }}' | \
sed 's/:.*//' | \
sort | \
uniq -c | \
sort -n | \
awk '{if ($1 > 25) {print "Count: "$1"\t"$2; }}'

and here is an example output:

Count: 26       92.80.103.61
Count: 27       77.246.104.149
Count: 35       88.232.169.103
Count: 44       88.226.7.150

If we want to list only the ip addresses, not the counter, change the last line as below:

awk '{if ($1 > 25) {print $2; }}'

Incoming search terms:

• after scanning/curing composite object is clean (2)
• count tcp connections centos (1)
• linux find tcp connections (1)

This howto is meant
as a practical guide; it does not cover the theoretical backgrounds. They are
treated in a lot of other documents in the web.

This document comes
without warranty of any kind!

1 Get the Sources

We need the following
software: openssl, cyrus-sasl2, and sendmail. We will install the software from
the /tmp directory.

cd /tmp

wget http://www.openssl.org/source/openssl-0.9.7c.tar.gz

wget –passive-ftp ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/cyrus-sasl-2.1.17.tar.gz

wget –passive-ftp
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.11.tar.gz

2 Install Openssl

tar xvfz openssl-0.9.7c.tar.gz

cd openssl-0.9.7c

./config

make

make install

ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl

3 Install Cyrus-sasl2

cd /tmp

tar
xvfz cyrus-sasl-2.1.17.tar.gz

cd cyrus-sasl-2.1.17

./configure –enable-anon –enable-plain –enable-login –disable-krb4 –with-saslauthd=/var/run/saslauthd
–with-pam –with-openssl=/usr/local/ssl –with-plugindir=/usr/local/lib/sasl2
–enable-cram –enable-digest –enable-otp (1
line!)

make

make install

If /usr/lib/sasl2
exists:

mv /usr/lib/sasl2 /usr/lib/sasl2_orig

echo “pwcheck_method:
saslauthd” > /usr/local/lib/sasl2/Sendmail.conf

echo “mech_list: login plain” >> /usr/local/lib/sasl2/Sendmail.conf

mkdir -p /var/run/saslauthd

4 Create Certificates
for TLS

mkdir -p /etc/mail/certs

cd /etc/mail/certs

openssl req -new -x509 -keyout cakey.pem -out cacert.pem -days 365

<- Enter your
password for smtpd.key.

<- Enter your Country Name (e.g., “DE”).

<- Enter your State or Province Name.

<- Enter your City.

<- Enter your Organization Name (e.g., the name of your company).

<- Enter your Organizational Unit Name (e.g. “IT Department”).

<- Enter the Fully Qualified Domain Name of the system (e.g. “server1.example.com”).

<- Enter your Email Address.

openssl req -nodes -new
-x509 -keyout sendmail.pem -out sendmail.pem -days 365

<- Again, enter
your password for smtpd.key.

<- Enter your Country Name (e.g., “DE”).

<- Enter your State or Province Name.

<- Enter your City.

<- Enter your Organization Name (e.g., the name of your company).

<- Enter your Organizational Unit Name (e.g. “IT Department”).

<- Enter the Fully Qualified Domain Name of the system (e.g. “server1.example.com”).

<- Enter your Email Address.

openssl x509 -noout -text
-in sendmail.pem

chmod 600 ./sendmail.pem

5 Install Sendmail

cd /tmp

tar xvfz sendmail.8.12.11.tar.gz

cd sendmail-8.12.11/devtools/Site/

Create the
file site.config.m4
(in
devtools/Site/):

# SASL2 (smtp authentication)
APPENDDEF(`confENVDEF’, `-DSASL=2′)
APPENDDEF(`conf_sendmail_LIBS’, `-lsasl2′)
#
# STARTTLS (smtp + tls/ssl)
APPENDDEF(`conf_sendmail_ENVDEF’, `-DSTARTTLS’)
APPENDDEF(`conf_sendmail_ENVDEF’, `-D_FFR_SMTP_SSL’)
APPENDDEF(`conf_sendmail_LIBS’, `-lssl -lcrypto -L/usr/local/ssl/lib’)

mkdir -p /usr/man

mkdir -p /usr/man/man1

mkdir -p /usr/man/man8

cp -pfr /usr/local/lib/sasl2 /usr/lib/sasl2

echo /usr/lib/sasl2 >> /etc/ld.so.conf

ldconfig

ln -s /usr/local/ssl/include/openssl /usr/include/openssl

Now we can compile
sendmail:

cd /tmp/sendmail-8.12.11/

useradd smmsp

groupadd smmsp

sh Build -c

sh Build install

Let’s create our
sendmail.cf:

cd cf/cf/

Create the file
sendmail.mc with the
following contents:

### do SMTPAUTH
define(`confAUTH_MECHANISMS’, `LOGIN PLAIN DIGEST-MD5 CRAM-MD5′) ;
TRUST_AUTH_MECH(`LOGIN PLAIN DIGEST-MD5 CRAM-MD5′) ;

### do STARTTLS
define(`confCACERT_PATH’, `/etc/mail/certs’) ;
define(`confCACERT’, `/etc/mail/certs/cacert.pem’) ;
define(`confSERVER_CERT’, `/etc/mail/certs/sendmail.pem’) ;
define(`confSERVER_KEY’, `/etc/mail/certs/sendmail.pem’) ;
define(`confCLIENT_CERT’, `/etc/mail/certs/sendmail.pem’) ;
define(`confCLIENT_KEY’, `/etc/mail/certs/sendmail.pem’) ;
DAEMON_OPTIONS(`Family=inet, Port=465, Name=MTA-SSL, M=s’) ;

###
define(`confDEF_CHAR_SET’, `iso-8859-1′) ;
define(`confMAX_MESSAGE_SIZE’, `15000000′) ; Denial of Service Attacks
define(`confMAX_DAEMON_CHILDREN’, `30′) ; Denial of Service Attacks
define(`confCONNECTION_RATE_THROTTLE’, `2′) ; Denial of Service Attacks
define(`confMAXRCPTSPERMESSAGE’, `50′) ; Denial of service Attacks
define(`confSINGLE_LINE_FROM_HEADER’, `True’) ;
define(`confSMTP_LOGIN_MSG’, `$j’) ;
define(`confDONT_PROBE_INTERFACES’, `True’) ;
define(`confTO_INITIAL’, `6m’) ;
define(`confTO_CONNECT’, `20s’) ;
define(`confTO_HELO’, `5m’) ;
define(`confTO_HOSTSTATUS’, `2m’) ;
define(`confTO_DATAINIT’, `6m’) ;
define(`confTO_DATABLOCK’, `35m’) ;
define(`confTO_DATAFINAL’, `35m’) ;
define(`confDIAL_DELAY’, `20s’) ;
define(`confNO_RCPT_ACTION’, `add-apparently-to’) ;
define(`confALIAS_WAIT’, `0′) ;
define(`confMAX_HOP’, `35′) ;
define(`confQUEUE_LA’, `5′) ;
define(`confREFUSE_LA’, `12′) ;
define(`confSEPARATE_PROC’, `False’) ;
define(`confCON_EXPENSIVE’, `true’) ;
define(`confWORK_RECIPIENT_FACTOR’, `1000′) ;
define(`confWORK_TIME_FACTOR’, `3000′) ;
define(`confQUEUE_SORT_ORDER’, `Time’) ;
define(`confPRIVACY_FLAGS’, `authwarnings,goaway,restrictmailq,restrictqrun,needmailhelo’) ;
OSTYPE(linux) ;
FEATURE(`delay_checks’) ;
FEATURE(`generics_entire_domain’) ;
FEATURE(`local_procmail’) ;
FEATURE(`masquerade_envelope’) ;
FEATURE(`nouucp’,`reject’) ;
FEATURE(`redirect’) ;
FEATURE(`relay_entire_domain’) ;
FEATURE(`use_cw_file’)dnl
FEATURE(`virtuser_entire_domain’)dnl

FEATURE(dnsbl,`blackholes.mail-abuse.org’,
` Mail from $&{client_addr} rejected; see http://mail-abuse.org/cgi-bin/lookup?$& {client_addr}’) ;
FEATURE(dnsbl,`dialups.mail-abuse.org’,
` Mail from dial-up rejected; see http://mail-abuse.org/dul/enduser.htm’) ;

FEATURE(`virtusertable’,`hash -o /etc/mail/virtusertable’) ;
FEATURE(access_db) ;
FEATURE(lookupdotdomain) ;
FEATURE(`blacklist_recipients’) ;
FEATURE(`no_default_msa’) ;
DAEMON_OPTIONS(`Port=smtp, Name=MTA’) ;
MAILER(local) ;
MAILER(smtp) ;
MAILER(procmail) ;

In order to create
/etc/mail/sendmail.cf
run the following commands:

sh Build sendmail.cf

cp sendmail.cf /etc/mail/sendmail.cf

Finally we have
to create some files:

cd /etc/mail/

touch /etc/mail/local-host-names

touch /etc/mail/virtusertable

/usr/sbin/makemap hash virtusertable < virtusertable

mkdir -p /var/spool/mqueue

chmod 700 /var/spool/mqueue

chown root:root /var/spool/mqueue

chown root:root /etc/mail/sendmail.cf

chmod 444 /etc/mail/sendmail.cf

chown root:root /etc/mail/submit.cf

chmod 444 /etc/mail/submit.cf

touch /etc/mail/aliases

newaliases

touch /etc/mail/access

/usr/sbin/makemap hash access < access

We need an init
script for sendmail (this should be copied to /etc/init.d/sendmail):

#! /bin/sh

case “$1″ in
start)
echo “Initializing SMTP port. (sendmail)”
/usr/sbin/sendmail -bd -q1h
;;
stop)
echo “Shutting down SMTP port:”
killall /usr/sbin/sendmail
;;
restart|reload)
$0 stop && $0 start
;;
*)
echo “Usage: $0 {start|stop|restart|reload}”
exit 1
esac
exit 0

chmod 755 /etc/init.d/sendmail

In order to start
sendmail at boot time
do the following:

ln -s /etc/init.d/sendmail
/etc/rc2.d/S20sendmail

ln -s /etc/init.d/sendmail /etc/rc3.d/S20sendmail

ln -s /etc/init.d/sendmail /etc/rc4.d/S20sendmail

ln -s /etc/init.d/sendmail /etc/rc5.d/S20sendmail

ln -s /etc/init.d/sendmail /etc/rc0.d/K20sendmail

ln -s /etc/init.d/sendmail /etc/rc1.d/K20sendmail

ln -s /etc/init.d/sendmail /etc/rc6.d/K20sendmail

6 Configure
Saslauthd

Create /etc/init.d/saslauthd:

#!/bin/sh -e

NAME=saslauthd
DAEMON=”/usr/sbin/${NAME}”
DESC=”SASL Authentication Daemon”
DEFAULTS=/etc/default/saslauthd

test -f “${DAEMON}” || exit 0

# Source defaults file; edit that file to configure this script.
if [ -e "${DEFAULTS}" ]; then
. “${DEFAULTS}”
fi

# If we’re not to start the daemon, simply exit
if [ "${START}" != "yes" ]; then
exit 0
fi

# If we have no mechanisms defined
if [ "x${MECHANISMS}" = "x" ]; then
echo “You need to configure ${DEFAULTS} with mechanisms to be used”
exit 0
fi

# Add our mechanimsms with the necessary flag
for i in ${MECHANISMS}; do
PARAMS=”${PARAMS} -a ${i}”
done

# Consider our options
case “${1}” in
start)
echo -n “Starting ${DESC}: ”
ln -fs /var/spool/postfix/var/run/${NAME} /var/run/${NAME}
${DAEMON} ${PARAMS}
echo “${NAME}.”
;;
stop)
echo -n “Stopping ${DESC}: ”
PROCS=`ps aux | grep -iw ‘/usr/sbin/saslauthd’ | grep -v ‘grep’ |awk ‘{print $2}’ | tr ‘\n’ ‘ ‘`
if [ "x${PROCS}" != "x" ]; then
kill -15 ${PROCS} &> /dev/null
fi
echo “${NAME}.”
;;
restart|force-reload)
$0 stop
sleep 1
$0 start
echo “${NAME}.”
;;
*)
echo “Usage: /etc/init.d/${NAME} {start|stop|restart|force-reload}” >&2
exit 1
;;
esac

exit 0

chmod 755 /etc/init.d/saslauthd

In order to start
saslauthd at boot time
do the following:

ln -s /etc/init.d/saslauthd
/etc/rc2.d/S20saslauthd

ln -s /etc/init.d/saslauthd /etc/rc3.d/S20saslauthd

ln -s /etc/init.d/saslauthd /etc/rc4.d/S20saslauthd

ln -s /etc/init.d/saslauthd /etc/rc5.d/S20saslauthd

ln -s /etc/init.d/saslauthd /etc/rc0.d/K20saslauthd

ln -s /etc/init.d/saslauthd /etc/rc1.d/K20saslauthd

ln -s /etc/init.d/saslauthd /etc/rc6.d/K20saslauthd

Then create /etc/default/saslauthd:

# This needs to be uncommented before saslauthd will be run automatically
START=yes

# You must specify the authentication mechanisms you wish to use.
# This defaults to “pam” for PAM support, but may also include
# “shadow” or “sasldb”
MECHANISMS=shadow

If you find out
that saslauthd is located
in /usr/local/sbin instead
of /usr/sbin create a
symbolic link:

ln -s /usr/local/sbin/saslauthd
/usr/sbin/saslauthd

Then start saslauthd
and sendmail:

/etc/init.d/saslauthd start

/etc/init.d/sendmail start

7 Test your
Configuration

To verify that
your sendmail was compiled with the right options type

/usr/sbin/sendmail -d0.1
-bv root

You should see
that sendmail was compiled with SASLv2
and STARTTLS:

To see if SMTP-AUTH
and TLS work properly now run the following command:

telnet
localhost 25

After you have
established the connection to your sendmail mail server type

ehlo
localhost

If you see the
lines

250-STARTTLS

and

250-AUTH

everything is fine.

Type

quit

to return to the
system’s shell.

Links

Sendmail MTA: http://www.sendmail.org/

OpenSSL: http://www.openssl.org/

Cyrus-SASL: http://asg.web.cmu.edu/sasl/

Incoming search terms:

• mod_qos centos (10)
• cpanel mod_qos (6)
• mod_qos cpanel (4)
• mod_qos directadmin (4)
• install mod_qos in centos (2)
• install mod_qos debian (2)
• wget slowloris (2)
• how to defend slowloris ddos with mod_qos (2)
• plesk mod_qos (2)
• mod_qos windows (1)

Incoming search terms:

• centos ddos (3)
• ddos centos (2)
• apache detect ddos (1)
• locate ddos file in linux (1)
• linux find * -name (1)
• how to detect ddos linux no shell (1)
• find_ddos windows (1)
• ddos script windows (1)
• ddos script linux (1)
• check for ddos centos (1)