tcpdump抓下的,能看出是什么攻击类型么?(syn还是udp)
[root@user root]# tcpdump tcp port 4264 and host 61.**.**.**
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
09:56:02.729761 IP YahooBB219002171069.bbtec.net.21091 >; 61.**.**.**.4264: R 134957059:134957059(0) win 0
09:56:02.731869 IP 223.99.145.52.33629 >; 61.**.**.**.4264: S 1047648840:1047648840(0) win 65535 <mss 1460,nop,nop,sackOK>;
09:56:02.731921 IP 80.66.168.90.58394 >; 61.**.**.**.4264: S 607793254:607793254(0) win 65535 <mss 1460,nop,nop,sackOK>;
09:56:02.731968 IP 139.37.141.111.41280 >; 61.**.**.**.4264: S 2252284455:2252284455(0) win 65535 <mss 1460,nop,nop,sackOK>;
09:56:02.732005 IP 205.19.222.85.3421 >; 61.**.**.**.4264: S 3496269435:3496269435(0) win 65535 <mss 1460,nop,nop,sackOK>;
09:56:02.732267 IP 95.72.118.14.41489 >; 61.**.**.**.4264: S 2383417887:2383417887(0) win 65535 <mss 1460,nop,nop,sackOK>;
09:56:02.732306 IP 127.48.118.116.57866 >; 61.**.**.**.4264: S 290550046:290550046(0) win 65535 <mss 1460,nop,nop,sackOK>;
09:56:02.732325 IP 145.47.79.76.27978 >; 61.**.**.**.4264: S 2589057399:2589057399(0) win 65535 <mss 1460,nop,nop,sackOK>;
09:56:02.732366 IP 135.95.114.44.36908 >; 61.**.**.**.4264: S 2386365010:2386365010(0) win 65535 <mss 1460,nop,nop,sackOK>;
09:56:02.732414 IP 178.22.152.30.11870 >; 61.**.**.**.4264: S 1562169143:1562169143(0) win 65535 <mss 1460,nop,nop,sackOK>;
09:56:02.732444 IP 94.91.234.45.9813 >; 61.**.**.**.4264: S 1513117229:1513117229(0) win 65535 <mss 1460,nop,nop,sackOK>;
09:56:02.732670 IP 28.111.104.58.6512 >; 61.**.**.**.4264: S 40076820:40076820(0) win 65535 <mss 1460,nop,nop,sackOK>;
09:56:02.732930 IP 105.78.4.3.54054 >; 61.**.**.**.4264: S 3426908274:3426908274(0) win 65535 <mss 1460,nop,nop,sackOK>;
09:56:02.733199 IP 86.90.192.94.46697 >; 61.**.**.**.4264: S 2063769193:2063769193(0) win 65535 <mss 1460,nop,nop,sackOK>;
09:56:02.733412 IP 215.23.202.72.21566 >; 61.**.**.**.4264: S 1181246788:1181246788(0) win 65535 <mss 1460,nop,nop,sackOK>;
16 packets captured
365516 packets received by filter
365077 packets dropped by kernel
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
1秒就这么多连接请求,很明显是DDOS,如果是udp的话 可以iptables -I INPUT -p udp -m udp --dport 4264 -j DROP
把udp请求都仍掉么?毕竟4264端口用不到udp
netstat -an里没一个syn字样。
判断端口是否堵塞的依据在于:
1。流量明显增大
2。用户无法连入 4264端口,而其他端口正常(不过多连接几次就能通[10次以上])
3。我在iptables里对允许ACCEPT的IP/8段进行了限制(因为一般的DDOS都是虚假IP[比如3.19.4.55]我把这些地址都DROP)这样做有效果了,说明是DDOS攻击
现在就是不知道是哪种攻击类型