How to check if your web application is under DDoS attack

Sep 11, 2021 · 2 mins read · Post a comment

Nowadays, most of the web applications are vulnerable and exposed on many kinds of attacks. One of them is a DDoS attack. There are a lot of services on the internet that are offering some kind of protection, but not all of them are free. In this tutorial, I’m going to explain how you can detect DDoS attack from your Linux server CLI and take prevention from it.


  • Linux bash environment
  • sudo privileges
  • netstat

Check if your web application is under DDoS attack

If you have noticed that your web application is running slowly, and sometimes it throws timeouts then, maybe it’s under DDoS.

Step 1. To check the DDoS attack on port 80 (HTTP) run the following command:

sudo netstat -plane | grep :80 | awk '{print $5}' | grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}'| sort | uniq -c | sort -n

Step 2. For port 443 (HTTPS), execute:

sudo netstat -plane | grep :443 | awk '{print $5}' | grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}'| sort | uniq -c | sort -n



The first column shows you how many connections are established and the second column from which IP address. So, from the example above, there are 350 connections from IP address, which seems very suspicious.

Prevent your web application from DDoS attack

To prevent your application from DDoS the first thing is to spot an IP address with many active connections as the example above, and then you should immediately set a firewall rule to block that IP address, depending on your Linux distro.


From this tutorial, you can learn some basic steps on how to spot and prevent DDoS attacks. Feel free to leave a comment below and if you find this tutorial useful, follow our official channel on Telegram.