Check if your computer is subjected to a DDoS attack

June 29, 2006
DDoS - short for Distributed Denial Of Service attack occurs when multiple compromised systems flood the bandwidth or resources of a targeted system, usually one or more web servers. The usual symptoms of a DDoS attack are a sudden sharp increase in processor activity which is experienced by your computer getting sluggish.

If you are running Linux or any Unix variant, there is a simple method to find out if your computer is under a DDoS attack. This method uses a combination of tools such as netstat, grep, awk, uniq, cut and so on to filter out the unnecessary output and get only the relevant parts. And you get to know the IP address of the machine connecting to your machine and the number of connections to your computer from each of them.

$ netstat -an | grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
In the output of the above command, the more connections you see for each IP address, the greater the probability of that IP address being used for a DDoS attack. Please note that if you are browsing multiple web pages of the same site at the time you run this command, it will show up in the output of the command and should not be taken as a DDoS attack.

Usually a DDoS attack occurs on servers running web services and is targeted at bringing down the server. But it could happen to your personal machine too if it is infected by malware.

You can read a more detailed explanation of the above command at