DDoS Tools & Shell Commands

When a server is under attack you will need to identify the attacking IP’s and block them using your firewall and other tools such as mod_security.

(note: for linux)

Netstat is your best friend:

show ip connections to port 80 apache:
netstat -n|grep :80|cut -c 45-|cut -f 1 -d ':'|sort|uniq -c|sort -nr|more

Update :80 to whatever port you need – e.g. 443 for ssh, 25 for smtp etc…

Bulk IP Address Geo Location Lookup:


List all Processes:

ps auxwwwf

Pipe to grep for specific details:

ps auxwwwf | grep public_html
ps auxwwwf | grep ssh
ps auxwwwf | grep ftp


View all TCP processes:

tcpdump | grep http
tcpdump | grep smtp
tcpdump | grep imap


Watch output of command in real time:

watch -n 1 'netstat -ano | grep SYN_RECV'

Creating Quick Country CIDR Blocklists:

NOTE: having a large range in your firewall will slow all connections down – but better slow than locked up…