[SERVER] Detecting DNS Amplification DDoS Attack

1. _____ _____ _ _____ _____ _____ _____ _____ _____
2. ___| | __ |_| _ |_ _|___ ___|_ _| __| _ | |
3. |_ -| --| -| | __| | | |- _|___| | | | __| | | | |
4. |___|_____|__|__|_|__| |_| |___| |_| |_____|__|__|_|_|_|
5. |s C R i P T z - T E A M . i N F O|----------------------------
6.  
7. - iNfO -
8.  
9. [SERVER] Detecting DNS Amplification DDoS Attack
10.  
11. - NOtIcE -
12.  
13. Login to server console and type:
14.  
15. To detect:
16. tcpdump -n udp dst port 53|grep ANY > ddos.log
17. cat ddos.log|awk {'print $3'}|cut -d: -f 1|cut -d. -f -4|sort|uniq -c|sort -nk 1
18.  
19. Or detect v2:
20. tcpdump -n udp dst port 53 > ddos.log
21. cat ddos.log|awk {'print $3'}|cut -d: -f 1|cut -d. -f -4|sort|uniq -c|sort -nk 1
22.  
23. CMD for src+dst packets:
24. tcpdump -n udp port 53
25.  
26. CMD for source packets:
27. tcpdump -n udp src port 53
28.  
29. CMD for destination packets:
30. tcpdump -n udp dst port 53
31.  
32. Clean output with IPs:
33. tcpdump -nS -p udp
34.  
35. If you see there some weird traffic your server is used to be pard of one bigger DDoS.
36. Or you can be DDoS.
37. ---------------------------------------------------
38. tcpdump => command allowing us to see in/out packets
39. udp => user datagram protocol
40. dst => destination
41. src => source
42. port 53 => this is to view port 53