Find the attacks

To find the attacks:

It will show all connections to port 80.

netstat -an|grep :80



It will shows only the synflood entries.

netstat -an|grep SYN_RECV



To see the number of total Apache connections and then the total number of SYN_RECV:

netstat -an|grep :80|wc -l

netstat -an|grep SYN_RECV|wc -l

The lsof to see which existing connections that were not defunct were showing and all of the ones still connecting were those doing SYN_RECV status (You can check the IPs against the SYN_RECV IPs):

lsof -i :80

How to get all the connection to your webserver?
netstat -an | grep :80 | wc -l

as you can see in the above the port that has been specified is 80 that means the port that a webserver is using

so whether it would be apache or lighttpd or lightspeed or all the rest.


How to get all of the ips and number of their conection to the server

netstat -plan|grep :80|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -n