Find the answer to your Linux question:
Results 1 to 4 of 4
Hello, a NodeWatch software i have on linux VPS host server notiffied me about possible DDoS saying: Nodewatch on MyHostname: Possible DoS VPS VMID (VPSIPHere): 168707 pps during 5 second ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Linux Newbie postcd's Avatar
    Join Date
    Apr 2011
    Posts
    228

    High packets per second, how to determine app/cause


    Hello, a NodeWatch software i have on linux VPS host server notiffied me about possible DDoS saying: Nodewatch on MyHostname: Possible DoS VPS VMID (VPSIPHere): 168707 pps during 5 second interval

    Please how i can monitor, determine the application which caused this high PPS (packed per second)? so next time i know which app or IP caused it?

  2. #2
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,672
    You could create a firewall rule to log packets above a certain number then you would see what program is doing it.
    Or you could also create a rule to drop packets after they reach a limit then then the program that isn't working is it.

    Option one is the best but options 2 is faster.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  3. #3
    Linux Newbie postcd's Avatar
    Join Date
    Apr 2011
    Posts
    228
    Thx, Im newbie, i know i have iptables, but i only know how to add/remove IP port from it. Looked for some iptables generators, but im unsure how these packet log rules should look like?
    Last edited by postcd; 10-10-2013 at 09:30 AM.

  4. #4
    Just Joined!
    Join Date
    Oct 2013
    Posts
    7
    Yup, like the esteemed Guru says "...a firewall rule".

    You are going to use some different features of netfilter-iptables (i.e.- limit module).
    Code:
    iptables -t filter -I INPUT "num_val" -i ppp0 -m limit --limit-burst 9999 -j LOG --log-ip-options --log-prefix 'dos'
    It should catch your source of traffic, but someone else could improve a rule for you.

    ps-depending on the distro, fwbuilder (a UI) is better suited for your needs...maybe, probably, idunno
    Last edited by ArtFewer; 10-13-2013 at 02:02 AM.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •