How to Check DDoS Attack on a Linux Server

A DDoS stands for Distributed Denial of Service attack is a malicious cyberattack used to disrupt normal network traffic to a server, system, or service to the target with a flood of Internet traffic. Meanwhile, early detection and response are important in minimizing the damage caused by a DDoS attack.

In this post, we will guide you through various methods to check DDoS on Linux servers and understand the cause of attacks on your system.

Understand DDoS Attacks

When it comes you understanding detection methods it is important to know the different types of DDoS attacks:

1. Volume Attacks: These attacks make difficult the target with a massive amount of traffic consuming network bandwidth.
2. Protocol Attacks: These exploit vulnerabilities in network protocols to disrupt service.
3. Application-layer Attacks: These target specific applications by flooding them with requests causing slowdowns or crashes.

Examples Of DDoS Attacks

Recognizing the signs of a DDoS attack is important for early response. The common indicators of DDoS systems include the following:

1. You may find an increase in server load by monitoring CPU and memory usage. A sudden network traffic could indicate an attack.
2. Check network interface statistics for unusual traffic volumes.
3. Users experiencing slowdowns or timeouts might be a sign.
4. Complete unavailability of services is a clear indication of an attack.

Checking DDoS Attacks

Linux offers several built-in tools and commands to help you monitor server health and detect potential DDoS attacks:

1. Monitoring Server Load

The following command provides a real-time view of system processes and resource utilization.

top

Another Linux command that displays virtual memory statistics including CPU activity and disk I/O.

vmstat

If you want to check CPU statistics including idle time and user/system time. Type the following to check DDoS attack:

mpstat

2. Checking Network Load

If you want to check the load of your network use the following command to display network interface configuration and statistics.

ifconfig

Another command provides information about network connections, routing tables, interface statistics, connections, and IP packet statistics.

netstat -stat

You can also use this command to check reports on system activity for a specified interval.

sar -n DEV 1 5

3. Analyzing Network Traffic

In Linux systems, there are also other options to capture the network packet for analysis.

tcpdump -i eth0 -s 0 -w capture.pcap

If you are comfortable with a graphical interface you can use Wireshark which is a graphical network protocol analyzer that can be used to inspect captured packets. To install this software refer to our guide on how to install Wireshark on Ubuntu system.

You can also configure iptables firewall rules that can be used to filter traffic and block potential attackers.

4. Identifying Suspicious IP Addresses

The following tools that can be used to DDoS check or identify suspicious IP addresses:

• Fail2ban: To find and block/ban untrusted IP addresses you need to install fail2ban on Ubuntu server which helps to detect intrusion attempts and ban IP addresses based on configurable filters.
• Logwatch: It helps monitor system logs to see if any irregularity occurs.

5. List Connecting IP’s

Analyzing connecting IPs can still provide valuable insights into potential attack vectors but it is important to understand that DDoS attacks often involve a massive number of IPs, making it challenging to manually analyze the list or attackers can use dynamic IP addresses or proxies to mask their origin.

The netstat command is a versatile tool for viewing network connections. To list the IPs connected to your server:

netstat -ntuap | grep :80

Replace the port number with the port your service is listening on for example 80 for HTTP. This command will list TCP connections numerically along with the process using the port.

Your web server’s access logs can provide a detailed record of incoming connections. Common web server logs include:

• Apache: /var/log/apache2/access.log
• Nginx: /var/log/nginx/access.log

You can use tools like grep, awk, or sed to extract IP addresses from these logs. For example:

grep -h "your_ip_address" /var/log/apache2/access.log /var/log/nginx/access.log | cut -d ' ' -f 1

This command searches for your server’s IP address in both Apache and Nginx logs and extracts the connecting IP.

If you have iptables configured to log connections you can analyze the log file:

iptables -L -nv --line-numbers

To view the log:

less /var/log/iptables/iptables.log

Once you have a list of connecting IPs you can use tools like uniq and sort to identify frequent attackers:

cat access.log | cut -d ' ' -f 1 | sort | uniq -c | sort -nr

This command counts the occurrences of each IP address in the access log and sorts them by count in descending order.

Advanced Techniques

For more in-depth analysis and protection consider these advanced methods:

• Intrusion Detection Systems (IDS): Detect malicious activity patterns within network traffic.
• Intrusion Prevention Systems (IPS): Prevent attacks by blocking suspicious traffic
• DDoS mitigation services: Utilize specialized services to protect against DDoS attacks.
• Load balancing: Distribute traffic across multiple servers to improve flexibility.
• Regular security audits: Identify vulnerabilities that could be exploited in a DDoS attack.

Important Considerations

The following are some important considerations for DDoS detection and mitigation:

• Establish normal system behavior to identify threats during an attack.
• Use tools that provide continuous monitoring and alerting.
• Develop a plan to respond to DDoS attacks effectively.
• Use firewalls and intrusion prevention systems to block malicious traffic.
• Limit the number of requests from a single IP address.
• Use DDoS-protected DNS services. Consider using cloud-based services for advanced protection.

Conclusion

Detecting and mitigating DDoS attacks requires a combination of tools, knowledge, and proactive measures. By closely monitoring your Linux server understanding the signs of an attack and implementing appropriate countermeasures you can significantly reduce the impact of DDoS incidents on your system and services.

FAQ