Help needed with possible DDoS

So I'm noticing some odd slowness on my network, despite the fact that there has been some work being done in the area for another ISP. Running the netstat command came up with a lot of incoming addresses on my network. I am not very experienced so I am not sure if I am being attacked or not, or at this point how to mitigate this.
Any help would be much appreciated

Find more posts tagged with

SAVE $250 on Your Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View Boot Camps

Comments

p@r0tuXus

Yep. Looks like the problem is quite obvious. You see, it's all upside down. Heh.

JSN

http://i67.tinypic.com/149z66a.jpg

cyberguypr

Is this machine behind a router?

JSN

Yes, just a typical home router access from my laptop.

PJ_Sneakers

Open up resource monitor and see which processes are using the most traffic.

JSN

PJ_Sneakers wrote: »

Open up resource monitor and see which processes are using the most traffic.

Seems to be resolved now, do you have any advice on how to mitigate attacks in the future? I renewed and released the DHCP and tried changing my IP on windows. I'm not really sure how to comprehend that traffic either, I just know there were a few bouts of slow internet.

PJ_Sneakers

Its probably not a DOS. If it's anything malicious it'd probably be malware. But it's likely to be a Windows process too, or Dropbox, or any number of other things. Nail down which process it is, and research it.

paul78

I would agree with PJ_Sneakers - it is not likely a DOS attack. I've actually seen this before but I just don't recall the circumstance or scenario.

@OP - it would be helpful if you posted info so it's easier to read but from what I could glean without getting a neck cramp - looks like outbound connections from your computer. And if your router/firewall is configured correctly, it's unlikely to be inbound connections.

It looks like a browser hijack to me but I also recall finding another reason for this - just can't remember what...

If you post better details from the netstat - Ideally not a screenshot - it would be interesting to try to diagnose.

Verities

Not sure what a DoS looks like over Netstat (now I have to go look). Netstat is used to typically show network connections, its actually deprecated and SS is the replacement. Read the man pages for how to differentiate between TCP and UDP connections or established or listening ports. To me it looks like multiple connections are established over HTTPS. This typically happens when you visit a website or multiple websites. I'm not sure exactly you would determine any type of attack or specifically a browser hijack over those ports unless you close all your web browsers and watch netstat drop or maintain the connections or inspect the actual traffic.

Anyways, securing your IPtables should be your first line of defense:
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT-A INPUT -i lo -j ACCEPT
-A INPUT -m limit --limit 25/minute --limit-burst 100 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited

The bolded lines are going to provide you the most security at the OS layer from outside attackers, specifically bots that crawl the internet looking for systems to exploit and also limit the amount of input from any established or new connections.

Edit (check this out): https://linuxaria.com/howto/how-to-verify-ddos-attack-with-netstat-command-on-linux-terminal

paul78

paul78 wrote: »

.... I also recall finding another reason for this - just can't remember what...

Oh - I think these are mostly connections to Microsoft networks. Are you running Skype by any chance? I have a vague recollection about that when I saw this in the past.

Verities

paul78 wrote: »

Oh - I think these are mostly connections to Microsoft networks. Are you running Skype by any chance? I have a vague recollection about that when I saw this in the past.

And here I was thinking this was a Linux desktop. Now that I look at the top of the picture, I can see Windows Explorer C:\ path.

NetworkNewb

Use "netstat -b" to see what exe is using each connection. Honestly that just looks like mine when I have a bunch of tabs open in my browser though...

paul78

NetworkNewb wrote: »

Honestly that just looks like mine when I have a bunch of tabs open in my browser though...

LOL - good point - there are a lot of CDNs on that list. I did probe a couple of the IP/port's though but there wasn't a HTTP listener at the destination othere than at the CDNs.