How to view how many connections are connected from a certain ip with netstat

During an DDOS attacks it can be frustrating trying to gain access to your server. If you are able to access ssh you can view who is attacking you and then block them using iptables. Not all DDOS attacks can be detected this way but netstat it is a useful to any linux or centos administrator should know.

To view  the total number of connections from a single ip, run the following command in ssh

netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

To view the total number of connections to a port, run the following command in ssh

netstat -tuna | awk -F':+| +' 'NR>2{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

These commands are useful during a DDOS attack to view what ip is the attacker and then you can block them. To block an ip on linux or centos you can do that with iptables. Use the above commands to view how many connections an ip has to your server and then block them using iptables. To view our how to block or unblock an ip with centos or linux with iptables Click Here.