How to detect DDos attacks

Thanks, that's some great info. But still, when you actually detect it, you can't do much about it.

Yeah thanks for the tips. maybe we will find some more methods in the future.

You can also use:

netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

A high number of connections from an IP makes it obvious that that IP is attacking your server, so block it in your firewall.

Originally Posted by sagar4evr

sometimes I see around 40+ hits coming from an ip does that mean someone is trying to attack my site?

Have you checked the IP? It could be a search engine crawling your website.

Originally Posted by sagar4evr

sometimes I see around 40+ hits coming from an ip does that mean someone is trying to attack my site?

Could be a search engine (as another poster pointed out), or a website reading any RSS feeds that you might have (if you have a blog or RSS feed, that is). What are the hits on?

Usually, 40 hits isn't anything. Look for 40,000 hits- that's what a DoS attack looks like.

Hello friends

Different from other research work focusing on network-wide traffic, the traffic we focus on for analysis is that of a traffic state viewed from a router¿s interior. In this paper, at first, a kind of Port-to-Port traffic in a router is introduced, which we call IF flow. IF flows can amplify the ratio of attack traffic to normal traffic. Then RLS (recursive least square) filter is used to predict IF flows. After that, a statistical method using residual filtered process is proposed to detect anomalies. Finally we respectively apply the method to three types of traffics: IF flows, input links and output links within a router, and compare the anomaly detection results using ROC curves. Results show that IF flows are more powerful than input links and output links in DDoS attacks detection.

Thanks for all guys

There is any program that can detected and killed it in the same time???