200Part IIRunning the ShowThe rflag denotes that the (Remote web server)
200Part IIRunning the ShowThe rflag denotes that the server machine will be the receiver. The sflag, in con- junction with the rflag, tells ttcpto ignore any received data. Have someone outside your data link, with a network link close to the same speedas yours, set up a ttcp sending process: # ttcp -ts server.example.comttcp-t: buflen=8192, nbuf=2048, align=16384/0, port=5001 tcp-> server.example.comttcp-t: socketttcp-t: connectLet the process run for a few minutes and then press Ctrl+C on the transmittingside to stop the testing. The receiving side will then take a moment to calculate andpresent the results: # ttcp -rsttcp-r: buflen=8192, nbuf=2048, align=16384/0, port=5001 tcpttcp-r: socketttcp-r: accept from 64.223.17.21ttcp-r: 2102496 bytes in 70.02 real seconds = 29.32 KB/sec +++ ttcp-r: 1226 I/O calls, msec/call = 58.49, calls/sec = 17.51ttcp-r: 0.0user 0.0sys 1:10real 0% 0i+0d 0maxrss 0+2pf 0+0cswIn this example, the average bandwidth between the two hosts was 29.32 kilobytesper second. On a link suffering from a DDoS, this number would be a fraction of theactual bandwidth for which the data link is rated. If the data link is indeed saturated, the next step is to determine where the con- nections are coming from. A very effective way of doing this is with the netstatcommand. Type the following to see connection information: # netstat tupnTable 6-1 describes each of the netstatparameters used here. Table 6-1netstat ParametersParameterDescription-t, –tcpShows TCP socket connections. -u, –udpShows UDP socket connections. -p, –programShows the PID and name of the program to which each socket belongs. -n, –numericShows numerical address instead of trying to determine symbolichost, port, or usernames.