Continuous Connection Count Monitoring for DDoS Detection
Set up automated monitoring of network connection counts. Get alerted when connections spike indicating DDoS attacks, traffic surges, or application issues.
Continuous Connection Count Monitoring for DDoS Detection
This guide covers automated connection monitoring to detect traffic spikes, DDoS attacks, and application connection leaks before they cause problems.
For quick one-time connection checks, see Count Network Connections.
Why Continuous Connection Monitoring?
Connection counts change constantly. Without monitoring, you won't know about:
- DDoS attack flooding your server with connections
- Application connection leak slowly exhausting limits
- Traffic spike requiring more resources
- Port exhaustion about to crash services
Setting Up Threshold-Based Alerts
| Connection Count | Severity | Likely Cause | Action |
|---|---|---|---|
| < 100 | Normal | Regular traffic | None |
| 100-500 | Elevated | Traffic spike | Monitor |
| 500-1000 | High | Busy period or issue | Investigate |
| > 1000 | Critical | DDoS or major incident | Immediate action |
Adjust based on your baseline—a busy web server might normally have 500+.
Method 1: Count Established Connections with netstat
The netstat command shows network connections and can count established connections.
Count Total Established Connections
To see total established connections:
# Count established connections
netstat -an | grep ESTABLISHED | wc -l
# Show established connections
netstat -an | grep ESTABLISHED
# Count TCP established connections
netstat -ant | grep ESTABLISHED | wc -l
# Count UDP established connections
netstat -anu | grep ESTABLISHED | wc -l
Show Connection Details
To see detailed connection information:
# Show established connections with process info
netstat -antp | grep ESTABLISHED
# Show connections grouped by state
netstat -an | awk '/^tcp/ {print $6}' | sort | uniq -c
# Show connections by port
netstat -ant | grep ESTABLISHED | awk '{print $4}' | cut -d: -f2 | sort | uniq -c | sort -rn
Method 2: Count Connections with ss Command
The ss command is faster than netstat and provides connection statistics.
Get Connection Statistics
# Show connection summary
ss -s
# Count established connections
ss -ant | grep ESTABLISHED | wc -l
# Show established connections
ss -ant | grep ESTABLISHED
# Show connection statistics by state
ss -s | grep ESTAB
Show Detailed Connection Information
# Show connections with process information
ss -antp | grep ESTABLISHED
# Show connections by port
ss -ant | grep ESTABLISHED | awk '{print $4}' | cut -d: -f2 | sort | uniq -c | sort -rn
# Count connections per IP
ss -ant | grep ESTABLISHED | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -rn
Method 3: Automated Connection Monitoring with Zuzia.app
Manually checking connection counts works for occasional monitoring, but for production servers, you need automated monitoring that alerts you when connection counts exceed thresholds. Zuzia.app provides comprehensive connection monitoring through scheduled command execution.
Setting Up Automated Connection Monitoring
-
Add Scheduled Task in Zuzia.app Dashboard
- Navigate to your server in Zuzia.app
- Click "Add Scheduled Task"
- Choose "Command Execution" as the task type
-
Configure Connection Count Command
- Enter command:
netstat -an | grep ESTABLISHED | wc -l - Set execution frequency: Every 30 minutes to 1 hour
- Configure alert conditions: Alert when connection count exceeds thresholds
- Set up thresholds for different severity levels
- Enter command:
-
Set Up Notifications
- Choose notification channels (email, webhook, Slack, etc.)
- Configure alert thresholds (e.g., warning at 1000, critical at 5000)
- Set up escalation rules for high connection counts
Monitor Connection Trends
Track connection counts over time:
# Save connection count with timestamp
echo "$(date): $(netstat -an | grep ESTABLISHED | wc -l)" >> /tmp/connections.log
# Check connection count percentage change
prev_count=$(cat /tmp/prev-count.txt)
curr_count=$(netstat -an | grep ESTABLISHED | wc -l)
echo $curr_count > /tmp/prev-count.txt
echo "Change: $((curr_count - prev_count))"
Zuzia.app stores all command outputs in its database, allowing you to track connection counts over time and identify patterns in network activity.
Method 4: Advanced Connection Monitoring Techniques
Monitor Connections by Port
To see which ports have the most connections:
# Count connections by port
netstat -ant | grep ESTABLISHED | awk '{print $4}' | cut -d: -f2 | sort | uniq -c | sort -rn | head -10
# Monitor specific port (e.g., port 80)
netstat -ant | grep ESTABLISHED | grep :80 | wc -l
# Monitor multiple ports
netstat -ant | grep ESTABLISHED | grep -E ':(80|443|22)' | wc -l
Monitor Connections by IP Address
To identify connection sources:
# Count connections per IP
netstat -ant | grep ESTABLISHED | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -rn | head -10
# Show connections from specific IP
netstat -ant | grep ESTABLISHED | grep "192.168.1.100"
# Count connections per IP address
ss -ant | grep ESTABLISHED | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -rn
Detect Connection Spikes
To identify unusual connection activity:
# Monitor connections in real-time
watch -n 5 'netstat -an | grep ESTABLISHED | wc -l'
# Track connection count over time
while true; do echo "$(date): $(netstat -an | grep ESTABLISHED | wc -l)"; sleep 60; done
Real-World Use Cases for Connection Monitoring
DDoS Attack Detection
For detecting DDoS attacks:
# Check total connection count
netstat -an | grep ESTABLISHED | wc -l
# Check connections per IP (potential DDoS)
netstat -ant | grep ESTABLISHED | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -rn | head -20
# Monitor connection rate
ss -s | grep ESTAB
Performance Monitoring
For performance monitoring:
# Check connection count
netstat -an | grep ESTABLISHED | wc -l
# Check connections by port
netstat -ant | grep ESTABLISHED | awk '{print $4}' | cut -d: -f2 | sort | uniq -c | sort -rn
# Check for connection leaks
ss -s
Best Practices for Connection Monitoring
1. Monitor Connections Regularly
Check connection count every 30 minutes to 1 hour. More frequent checks may be needed for high-traffic servers. Use Zuzia.app automated monitoring to check connections continuously without manual intervention.
2. Set Appropriate Alert Thresholds
Configure alerts at different levels:
- Warning: 1000-2000 connections
- Critical: 5000+ connections
- Emergency: 10000+ connections
3. Monitor Connection Trends
Track connection counts over time to identify patterns. Sudden spikes might indicate attacks or issues.
4. Monitor Connections by Port
Focus monitoring on critical ports (web servers, databases). Set up dedicated monitoring for these ports.
5. Track Connections by IP
Monitor connections per IP address to detect DDoS attacks or connection abuse.
Troubleshooting Common Connection Issues
Too Many Connections
If there are too many connections:
# Identify top connection sources
netstat -ant | grep ESTABLISHED | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -rn | head -10
# Check connection count
netstat -an | grep ESTABLISHED | wc -l
# Check for connection leaks
ss -s
Connection Spikes
If connection count spikes:
# Check connections by port
netstat -ant | grep ESTABLISHED | awk '{print $4}' | cut -d: -f2 | sort | uniq -c | sort -rn
# Check connections by IP
netstat -ant | grep ESTABLISHED | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -rn
# Review system logs
dmesg | tail -50
FAQ: Common Questions About Monitoring Connections
How often should I check connection count?
We recommend checking connection count every 30 minutes to 1 hour. More frequent checks may be needed for high-traffic servers. Use Zuzia.app automated monitoring to check connections continuously without manual intervention.
What if connection count spikes?
You'll receive notifications when connection counts exceed thresholds through Zuzia.app. This could indicate a DDoS attack, legitimate traffic spike, or application issue. Investigate by checking connections by IP address and port to identify the source.
Can I see connection details?
Yes, you can use netstat -an | grep ESTABLISHED to see detailed connection information including source and destination IP addresses and ports. Use ss -antp | grep ESTABLISHED for more detailed information with process IDs.
How do I detect DDoS attacks?
Set up automated monitoring in Zuzia.app that tracks connection counts and connections per IP address. Alert on sudden spikes in connection counts or when a single IP address has an unusually high number of connections. Monitor connection patterns over time to identify anomalies.
Can I track connection patterns over time?
Yes, use Zuzia.app to store connection count data in its database. This allows you to track connection patterns over time, identify trends, and detect anomalies. Compare current connection counts with historical patterns to identify unusual activity.
How can I monitor connections across multiple servers?
Zuzia.app allows you to add multiple servers and monitor connection counts across all of them simultaneously. Each server executes commands independently, and all results are stored in Zuzia.app's database for centralized monitoring and analysis.
Does Zuzia.app use AI to analyze connection patterns?
Yes, if you have Zuzia.app's full package, AI analysis is enabled. The AI can detect patterns in connection activity, identify DDoS attacks, predict potential issues, and suggest optimizations based on historical connection data and machine learning algorithms.
Related guides, recipes, and problems
-
Related guides
- Complete server resource and performance monitoring: Server Resource Monitoring, Server Performance Optimization Guide
- Linux server monitoring best practices: Avoiding Alert Fatigue - Monitoring Anti-Patterns to Avoid
-
Related recipes
- Monitor network connections and security activity: How to Monitor Network Connections on Linux Server
- Count established network connections (alternative view): Quick Network Connection Count Commands
- Monitor network errors and dropped packets: How to Monitor Network Errors and Dropped Packets
- Monitor open TCP ports and listening services: How to Monitor Open TCP Ports on Linux Server, How to Check Listening Ports on Linux Server (One-Time Security Audit)
- Audit exposed database ports and network surface: How to Check for Open Database Ports in Security Audit (Exposure Detection)
-
Related problems
- Network connectivity incidents and degraded service: Network Connectivity Issues on Linux Server
- High CPU usage and resource exhaustion from traffic spikes: High CPU Usage Emergency - Immediate Troubleshooting Steps
- Website unavailable due to network or capacity problems: Website Unavailable or Down