How to Check if your Linux server is Under DDoS Attack?

There are various means to perform DDoS Attacks, from HTTP floods to Slowloris’ lingering connections. While differing widely in their methods, [almost] all of them require connections to your server; and lots of them. The good news is most attacks can be detected using a few simple commands, which not only indicate that a DDoS is happening but also provides the information you can use to help mitigate these attacks.

Distributed Denial of Service attacks, for the most part, have one goal - to make your server inaccessible. The attacks are designed to overload your resources, use up all available connection/bandwidth/throughput, and generally stop your server from working. To do this easily, connection floods are the go-to. Provide a server with more connections than it can handle (even hearty servers can’t handle the number of connections a DDoS can bring), and some or all of the above starts to happen. But since they are live connections, you have the ability to see these connections.

First is to take a look at the load on your server. Something as simple as the uptime or top commands will give you a good idea of the server’s load. What is an acceptable load? That depends on your CPU resources (available threads) but the common rule is 1 point per thread.


You can find this with the command grep processor /proc/cpuinfo | wc -l which will return the number of logical processors, or threads. During a DDoS, you may see load at double, triple, or more, over the maximum load you should have.

grep processor /proc/cpuinfo | wc -l
uptime

load average displays load in these intervals: 1min avg, 5min avg, 15min avg)(In this scenario, a load avg of >7 could be a concern



Just like when driving, your drive from A to B will be slow if there’s too much traffic. Unlike the above, sometimes your server will respond fine over a backend connection like IPMI, but be slow when connecting over a public interface. You will want to check your network traffic, and can with one of several tools. That list includes nload, bmon, iftop, vnstat, ifstat… It depends on your operating system but all can be installed via your package manager (apt, yum, etc.)

Since most of these attacks need connections to your server, you can check and see how many, and what, IPs are connected to your server. Netstat is a command that can provide all manner of details. We’re only interested in the IPs, the number of IPs, and maybe the subnets they’re part of. Let's take a look at how to see these.

The first command will show a descending list of what IPs are connected, and how many connections each one has. You will see anywhere from 1 to about 50 per IP, and this can be quite common for normal traffic. You may see some with 100+ connection, and this is something to scrutinize.

You may see known IPs, one or more of the server’s own IPs, or even your own IP with many connections. These can be ignored for the most part, as they are there normally. It’s when you see single IPs with hundreds or thousands of connections that you should be concerned, as this very well can be a sign of an attack

netstat -ntu|awk '{print $5}'|cut -d: -f1 -s|sort|uniq -c|sort -nk1 -r


results may include artifact data; these will appear as non-IP info, and can be ignored


Next, what do you do if you have many IPs with only a single connection? If you see them coming from the same subnet (common being the same /16 or /24)? It can be hard to see all of these single connections and know if there is an attack. You can use the next two commands to list the subnets that contain the connected IPs, and how many IPs are in that subnet.

Find IPs from a /16 (xxx.xxx.0.0) subnet:

netstat -ntu|awk '{print $5}'|cut -d: -f1 -s |cut -f1,2 -d'.'|sed 's/$/.0.0/'|sort|uniq -c|sort -nk1 -r

This will display any IP starting with the same two octets: ie. 192.168.xxx.xxx



Find IPs from a /24 (xxx.xxx.xxx.0) subnet:

netstat -ntu|awk '{print $5}'|cut -d: -f1 -s |cut -f1,2,3 -d'.'|sed 's/$/.0/'|sort|uniq -c|sort -nk1 -r

This will display any IP starting with the same three octets: ie. 192.168.1.xxx



These are just a few of the tools available to check for possible attacks. And while there are more advanced tools to use, these can provide quick and easy to attain results to see if you may be experiencing a DDoS attack. The information they provide is useful even when not under attack, and getting familiar with them and their results can help strengthen your “administrator’s toolbelt”.

You can read more about our DDoS protection services here:

https://www.hivelocity.net/enhancements/ddos-protection/