{"id":1665,"date":"2025-05-31T21:55:19","date_gmt":"2025-05-31T19:55:19","guid":{"rendered":"https:\/\/www.shukko.com\/x3\/?p=1665"},"modified":"2025-05-31T21:55:19","modified_gmt":"2025-05-31T19:55:19","slug":"ddos-toplu-yazisi","status":"publish","type":"post","link":"https:\/\/www.shukko.com\/x3\/2025\/05\/31\/ddos-toplu-yazisi\/","title":{"rendered":"ddos toplu yazisi"},"content":{"rendered":"\n<p>plesk icin yazilmis ama olsun<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Determine the source IP addresses and numbers of the connections:\n\nss -tan state established | grep \":80\\|:443\" | awk '{print $4}'| cut -d':' -f1 | sort -n | uniq -c | sort -nr\n\nFind the domains which are currently under attack:\n\nfor log in \/var\/www\/vhosts\/system\/*\/logs\/*access*log; do echo -n \"$log \"; tail -n10000 \"$log\" | grep -c 203.0.113.2; done | sort -n -k2\n\nCheck the number of connections in SYN_RECV state (possible syn-flood):\n\nss -tan state syn-recv | wc -l\n\nIf there are several IP addresses in Plesk, determine the target IP address under attack:\n\nnetstat -lpan | grep SYN_RECV | awk '{print $4}' | cut -d: -f1 | sort | uniq -c | sort -nk 1\n\nIt is possible that there are not many established connections to the web server, however, there might be a lot of requests that were successfully served by nginx and transferred to Apache and at this point, Apache is under attack. To track these requests do the following:\n\nNavigate to \/var\/www\/vhosts\/system:\n\ncd \/var\/www\/vhosts\/system\n\nGenerate a file requests to fetch the number of requests that were made in the last hour using the command below.\n\nNote: As an example, 24\/Jan\/2022:20 will be used. Here \":20\" is 8 p.m.\n\nfor i in *;do echo -n \"$i \"; grep '24\/Jan\/2022:20' $i\/logs\/access_ssl_log | awk '{print $1}' | wc -l;done > ~\/requests\n\nCheck the generated file:\n\ncat ~\/requests | sort -k 2 -r -n | head\nexample.com 24549\nexample.net 18545\ntest.com 3<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>plesk icin yazilmis ama olsun<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-1665","post","type-post","status-publish","format-standard","hentry","category-kategerisiz"],"_links":{"self":[{"href":"https:\/\/www.shukko.com\/x3\/wp-json\/wp\/v2\/posts\/1665","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.shukko.com\/x3\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.shukko.com\/x3\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.shukko.com\/x3\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.shukko.com\/x3\/wp-json\/wp\/v2\/comments?post=1665"}],"version-history":[{"count":1,"href":"https:\/\/www.shukko.com\/x3\/wp-json\/wp\/v2\/posts\/1665\/revisions"}],"predecessor-version":[{"id":1666,"href":"https:\/\/www.shukko.com\/x3\/wp-json\/wp\/v2\/posts\/1665\/revisions\/1666"}],"wp:attachment":[{"href":"https:\/\/www.shukko.com\/x3\/wp-json\/wp\/v2\/media?parent=1665"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.shukko.com\/x3\/wp-json\/wp\/v2\/categories?post=1665"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.shukko.com\/x3\/wp-json\/wp\/v2\/tags?post=1665"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}