How to Determine if a Server is Under DDoS Attack
A Distributed Denial of Service (DDoS) attack typically manifests as server resources being overwhelmed by a flood of invalid requests, preventing legitimate users from accessing services. Here are several basic methods for detection.
1. Check Port Connection Count
First, examine the number of connections on a specific port, such as port 80 for web services. Note that this counts connections, not unique IP addresses, as a single IP can initiate multiple connections.
Use the following command to view the total current connections on port 80:
netstat -nat | grep -i "80" | wc -lCommand breakdown:
netstat -nat: Displays the connection status for all TCP ports.grep -i "80": Filters lines containing "80" (case-insensitive).wc -l: Counts the number of lines, which equals the connection count.
2. Analyze Connections per IP
To more precisely identify suspicious IPs, use this command. It lists the number of connections established by each IP address, sorted in ascending order.
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nCommand breakdown:
netstat -ntu: Shows TCP and UDP connections (-n displays addresses and ports numerically).awk '{print $5}': Extracts the 5th column (remote address and port).cut -d: -f1: Uses colon (:) as a delimiter to take the first part (IP address).sort: Sorts IP addresses for the next step.uniq -c: Counts and outputs the occurrence of each unique IP (connection count).sort -n: Sorts the results numerically (by connection count) in ascending order.
3. Interpreting the Results
Under normal conditions, an IP may have a few to several dozen connections. If certain IPs show abnormally high connection counts (e.g., hundreds or thousands) persistently, they are likely sources of a DDoS attack.
Example Output (Abnormal Case):
1 180.97.35.21
1 180.97.35.36
1 66.249.79.58
1 Address
1 servers)
2 117.136.74.158
2 171.214.239.34
2 222.80.245.106
3 223.114.118.65
37 106.187.34.20
133 106.187.36.20
157 106.187.35.20In this example, the last three IPs (106.187.34.20, 106.187.36.20, 106.187.35.20) have significantly higher connection counts than others and are highly probable attack sources.
How to Defend Against DDoS Attacks
Different levels of defense can be applied depending on the scale of the attack.
1. Temporary Emergency Response: Block IPs with iptables
For confirmed attack source IPs, you can immediately block them using iptables firewall rules.
iptables -I INPUT -s ATTACKER_IP_ADDRESS -j DROPFor example:
iptables -I INPUT -s 106.187.35.20 -j DROPNote: This method may inadvertently block other legitimate users sharing the same public IP (e.g., NAT users). It is recommended as a temporary emergency measure.
2. Use Automated Defense Scripts
Tools like DDoS Deflate can be installed. They automatically monitor connection counts and add IPs exceeding a defined threshold to the firewall blacklist, optionally notifying the administrator via email.
3. Leverage Cloud Services or CDN
- Small-scale attacks: Use a CDN service with security features, such as Cloudflare, Alibaba Cloud CDN, or Tencent Cloud CDN. These can help filter malicious traffic and hide the server's real IP.
- Medium to large-scale attacks: Consider specialized DDoS protection services, such as Alibaba Cloud Anti-DDoS Pro, Tencent Cloud Dayu Protection, or Huawei Cloud Anti-DDoS. These services offer TB-level traffic scrubbing capacity but are typically paid services.
Important Note: The example commands are based on older environments. In modern Linux distributions, the netstat command is often replaced by ss. The recommended modern equivalent is:
ss -ntu | awk '{print $6}' | cut -d: -f1 | sort | uniq -c | sort -nDefending against DDoS is an ongoing process. It is advisable to build a multi-layered security system combining server monitoring, firewall configuration, and professional protection services.