How to Quickly Identify Whether an Attack is DDoS or DoS?

David Beroff

Well-known member
Registered
Joined
Jun 14, 2016
Messages
1,501
Points
63
Hi everyone,

I've been facing some security challenges with my server recently and suspect it might be under a denial of service attack. However, I'm trying to figure out whether it's a Distributed Denial of Service (DDoS) or a simpler Denial of Service (DoS) attack. Could anyone share tips or tools for quickly identifying the nature of such attacks? How do you differentiate between multiple sources in a DDoS versus a single source in a DoS? Any advice on initial steps to take when you notice unusual traffic would also be greatly appreciated!

Thanks
 

OffshoreRacks

New member
Registered
Joined
May 12, 2024
Messages
1
Points
1
When this happens your website goes offline??, CPU usage when this happens? usually, attacks go to your CPU /memory resources or your bandwidth resource, any serious bandwidth attack will harm other clients where you have that server hosted and the data center will contact you.

If its a normal web attack you can see what IP in your server or if you have several ips assigned) with the following command, you will see the top 10 and how many connections to that IP it has.


netstat -an | egrep ":80|:443" | egrep '^tcp' | grep -v LISTEN | awk '{print $5}' | egrep '([0-9]{1,3}\.){3}[0-9]{1,3}' | sed 's/^\(.*:\)\?\(\([0-9]\{1,3\}\.\)\{3\}[0-9]\{1,3\}\).*$/\2/' | sort | uniq -c | sort -nr | sed 's/::ffff://' | head


will this play like:

Number of connections and the destination IP, which is one of your IPs assigned to that machine.
 

Mihai B.

Well-known member
Registered
Joined
Apr 19, 2016
Messages
243
Points
18
If you suspect your server is under a DoS or DDoS attack, you can limit the number of connections from individual IPs to help mitigate the issue. Here's how you can do it:
  1. Check Traffic Logs: Examine your server logs to identify unusual patterns. If one IP has a high number of connections, it's likely a DoS attack. Multiple IPs with high connections suggest a DDoS attack.

  2. Limit IP Connections Using iptables: You can use iptables to limit the number of connections from a single IP. Here are some examples:
    • Limit the number of new connections per minute from a single IP:
      Code:
      iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 20 -j REJECT
    • Rate limit incoming connections to 10 per second, with a burst of 20:
      Code:
      iptables -A INPUT -p tcp --dport 80 -m limit --limit 10/s --limit-burst 20 -j ACCEPT
      iptables -A INPUT -p tcp --dport 80 -j DROP
  3. Use Monitoring Tools: Tools like Wireshark or NetFlow can help you analyze traffic and differentiate between DoS and DDoS attacks.
You can better manage traffic and protect your server from excessive connections that might lead to downtime or degraded performance.

Hope that helps!
 
Older Threads
Newer Threads
Recommended Threads
Replies
15
Views
7,732
Replies
3
Views
2,317
Replies
5
Views
5,829
Replies
34
Views
14,310

Latest Hosting OffersNew Reviews

Sponsors

Tag Cloud

You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.

Top