Uses of Netstat
Netstat has a bevy of uses, some expected and others not so obvious.
Determine If You're the Victim of a SYN Flood or Other DDos Attack
A distributed denial-of-service (DDoS) attack is one in which the victim computer is overwhelmed by network requests slowing or stopping the machine and consuming network bandwidth. A SYN flood is a DDoS attack that takes advantage of a bug in the way that TCP/IP establishes connections, the "three-way handshake."
A SYN attack takes advantage of this by sending an overwhelming number of SYN requests with bogus return addresses. This leaves resources open on the destination computer waiting for its ACK to be acknowledged. Eventually, the computer's resources are completely used up in waiting for information that will never come. Although Microsoft offers patches for all its operating systems to protect against this type of DDoS, many machines are still unpatched.
The network state SYN_RCVD shows that a TCP handshake has gone awry and that your machine is trying to contact a spoofed host or otherwise inaccessible computer. A perfluence of SYN_RCVD connections suggests that you are probably suffering from a flood attack. (See Figure 2.)
Figure 2 Netstat results during a SYN flood attack.
Is My Computer a Zombie? Locating Trojans
Trojans are programs that infect a host computer and send information back to a remote computer. This might involve things such as password or file snooping, or it might be part of a DDoS attack. Part of Code Red's payload was an example of a DDoS attack involving multiple "zombies," machines infected with the Trojan that wait for a signal from the master computer or, in the case of Code Red, a date and time to begin attacking a target or targets. These attacks flood the target with massive amounts of traffic, preventing legitimate traffic from coming or going.
If your computer is a zombie, infected by a Trojan preparing to perform some act of evil, netstat can help you by comparing any open connections that you don't expect to see with the list of known Trojan ports found at http://www.doshelp.com/trojanports.htm.
For example, the Netspy Trojan is known to use port 1024. If your netstat results determine an established connection on port 1024, your computer may have been compromised:
Proto Local Address Foreign Address State TCP numa:1024 evil.foo.com established
You can then take steps to discover whether the Trojan is present and remove it.
Determine Your Own IP Address
Netstat is the quickest way to determine the IP address of your local machine. With the popularity of ipconfig and its variants, netstat is often overlooked for this. Enter the command netstat n at a command prompt, and you will see a list of your active connections in numerical form. The Local Address column gives you your IP address.
Display Ethernet Statistics
netstat -e will display statistics on your Ethernet device, including errors and discards, as shown in Figure 3.
Figure 3 netstat e statistics displayed.
This can be used to locate the source of network trouble along a wire or to determine the amount of network traffic that is being generated by a particular taskfor example, to judge the impact of a network game upon the rest of the network, or to see how much traffic is generated by streaming .mp3s to a workstation or by loading a Web page. The netstat -e command shows the amount of traffic received and sent since the last reboot, so snapshots taken before and after a task is performed will demonstrate the amount of traffic generated by that task.
Display the Routing Table
The routing table is the reference map that your machine uses to know where to send packets within a network. netstat r is one of several ways to show this table. Rarely must anyone modify a routing table because most of it is generated dynamically. However, this can provide useful information.
The netstat r command, when entered at a command prompt, will output the routing table as in Figure 4. The table tells you there that there is one NIC in this machine and gives you its MAC address. The first route tells you that every IP address (0.0.0.0) with any netmask (0.0.0.0) should be routed to the default gateway (192.168.100.1) through the address (192.168.100.207). The fourth route tells you that the IP address 192.168.100.207 should be routed to the loopback address (this machine). These two routes provide instructions to send every packet not in this subnet through the Ethernet card and to the default gateway.
Figure 4 Routing table output.
In the following article, we will show you how to modify your routing table to deflect would-be attacks from computers that netstat might have helped you to discover.