What is a DDoS Attack?
DDoS (Distributed Denial of Service) is a malicious attack that floods a target server with an overwhelming amount of traffic from multiple compromised computers, often called a botnet. The goal is to exhaust the server's resources (like CPU, memory, or connection limits) or saturate its network bandwidth, making it unable to respond to legitimate user requests.
Common Types of DDoS Attacks
DDoS attacks are broadly categorized into two main types based on their method.
Protocol Exploit Attacks
These attacks exploit design flaws or state vulnerabilities in internet protocols (like TCP, DNS, HTTP) by sending a flood of seemingly legitimate but invalid requests, forcing the server to waste resources. Common examples include:
- SYN Flood: Exploits the TCP three-way handshake to exhaust server connection resources with half-open connections.
- ACK Flood: Sends a massive volume of TCP ACK packets, consuming server processing power.
- DNS Flood: Overwhelms a DNS server with a high volume of spoofed query requests.
Volumetric (Traffic) Attacks
These attacks aim to simply clog the target's network bandwidth by sending an enormous volume of junk data packets, without relying on protocol vulnerabilities. Common types are:
- UDP Flood: Sends a high number of UDP packets to random ports on the target server.
- ICMP Flood (Ping Flood): Overwhelms the target with ICMP Echo Request (ping) packets.
Impact of DDoS Attacks
A successful DDoS attack causes service disruption or severe degradation. The specific impact depends on the business type:
- For B/S architecture websites (e.g., www.qq.com), users cannot load pages or experience extremely slow access.
- For C/S architecture online services (e.g., online games, instant messaging), it causes mass user disconnections and prevents new logins.
Beyond immediate downtime and financial loss, such attacks damage brand reputation and user trust.
How to Detect a DDoS Attack
Be alert for a potential DDoS attack if your server exhibits these symptoms:
- Your website or service becomes completely unresponsive.
- User connections time out or fail repeatedly.
- Inbound network traffic (bandwidth) spikes abnormally, far exceeding normal peaks.
- Server resource usage (CPU, memory, connections) is unusually high without a corresponding increase in legitimate traffic.
Initial Investigation Using Command-Line Tools
On a Linux server, use these commands to analyze connections and traffic.
1. Check Total Connections on Port 80
netstat -nat | grep -i "80" | wc -l2. Sort IPs by Connection Count
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n3. View TCP Connection State Statistics
netstat -nat | awk '{print $6}' | sort | uniq -c | sort -rnOr use a more detailed script:
netstat -n | awk '/^tcp/ {++S[$NF]}; END {for(a in S) print a, S[a]}'4. Top 20 IPs with Most Connections on Port 80
netstat -anlp | grep 80 | grep tcp | awk '{print $5}' | awk -F: '{print $1}' | sort | uniq -c | sort -nr | head -n205. Sniff Traffic on Port 80
tcpdump -i eth0 -tnn dst port 80 -c 1000 | awk -F"." '{print $1"."$2"."$3"."$4}' | sort | uniq -c | sort -nr | head -206. Find Anomalous Connection States
Find many TIME_WAIT connections:
netstat -n | grep TIME_WAIT | awk '{print $5}' | sort | uniq -c | sort -rn | head -n20Find many SYN connections:
netstat -an | grep SYN | awk '{print $5}' | awk -F: '{print $1}' | sort | uniq -c | sort -nr | moreEmergency Response: Temporarily Block IPs with iptables
If you identify specific attack source IPs, you can use the iptables firewall for temporary blocking. Note: For large-scale DDoS attacks with many changing IPs, manual blocking has limited effect and is only suitable for small-scale or specific sources.
Block a Single IP
iptables -I INPUT -s 211.1.0.0 -j DROPBlock an IP Range (CIDR)
iptables -I INPUT -s 211.1.0.0/16 -j DROPSave iptables Rules to Persist After Reboot
Temporary rules are lost on reboot. To make them permanent, save the rules:
iptables-save > /etc/sysconfig/iptablesOr use a service command (for older systems):
service iptables saveUnblock an IP or Clear Rules
To unblock a specific IP (must match the original rule exactly):
iptables -D INPUT -s IP_ADDRESS -j DROPTo flush all iptables rules (use with caution):
iptables -FImportant Note: The command-line checks and iptables blocking described are basic operations. For modern, large-scale, and complex DDoS attacks, businesses should rely on professional DDoS mitigation services (like cloud-based scrubbing centers or high-defense IP services) to build an effective defense.