Linux: Number of open connections per remote host

The following command can be used to find out the number of connections per remote hosts (which is useful to identify denial-of-service attacks):

# netstat -n | grep 'tcp\|udp' | awk '{ print $5; }' | cut -d: -f1 | sort | uniq -c | sort -nr

netstat -n is just faster than without the -n parameter since it shows numerical addresses instead of trying to determine symbolic host, port or user names.

grep 'tcp\|udp' only shows tcp and udp connections (thus removing unix sockets and headers).

awk '{ print $5; }' prints only the foreign address (i.e. the IP address of the remote host).

cut -d: -f1 removes everything before the first colon (i.e. removes the port info).

sort is required before calling uniq because uniq compares only to the immediately preceding line and would otherwise return IP addresses multiple times.

uniq -c converts the sorted list of IP addresses to a list with the number of occurences of an IP address and the IP address.

sort -nr sorts the list by decreasing number of occurences of an IP address.

Leave a Reply

Your email address will not be published.