To check if a Linux server is under a DDoS (Distributed Denial of Service) attack, you need to monitor for unusual spikes in traffic, high system resource usage, and suspicious network behavior. Below are effective and technical steps to identify a potential DDoS attack on a Linux server.
???? Key Symptoms of a DDoS Attack
| Indicator | What to Look For |
|---|---|
| High CPU/Memory Usage | Unexpected and sustained spikes |
| Network Saturation | RX/TX traffic unusually high |
| Excessive Connections | Thousands of connections from few IPs |
| Unresponsive Services | Web server or SSH slow or non-responsive |
| ICMP or SYN Flood | High rate of ICMP/SYN packets |
???? Step-by-Step DDoS Detection
1. Check Load Average
uptime
# or
top -n 1
-
If your load average is significantly higher than normal and your CPU usage is maxed out by system processes, investigate further.
2. Check Network Traffic with iftop or nload
sudo iftop -i eth0
# or
sudo nload
Look for:
-
Inbound traffic that is unusually high
-
Traffic dominated by one or a few IPs
-
Constant traffic on uncommon ports
3. Check Connections Using netstat or ss
sudo netstat -anp | grep :80 | wc -l
# or
ss -s
Check for:
-
Thousands of connections in
SYN_RECVorESTABLISHEDstate -
High number of connections from a single IP:
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
4. Use tcpdump to Inspect Live Packets
sudo tcpdump -n -i eth0
Use filters to look for SYN floods:
sudo tcpdump 'tcp[tcpflags] & tcp-syn != 0 and tcp[tcpflags] & tcp-ack == 0'
-
If you see hundreds or thousands of SYN packets per second, you're likely under a SYN flood attack.
5. Monitor System Logs
sudo tail -f /var/log/syslog
sudo tail -f /var/log/messages
Look for:
-
Repeated firewall drops
-
Kernel warnings about connection limits or flood protection
6. Inspect Apache/Nginx Logs for Patterns
sudo tail -f /var/log/nginx/access.log
-
Too many requests per second from the same IP
-
Repetitive URLs being hit rapidly
Example check:
awk '{print $1}' /var/log/nginx/access.log | sort | uniq -c | sort -nr | head
7. Use conntrack for State Table Inspection
sudo conntrack -C
# Shows total number of tracked connections
If it’s maxed out, connections may be dropped, indicating a flood.
8. Check iptables or Firewall Counters
sudo iptables -L -v -n
-
See if certain rules (e.g., DROP or REJECT) are matching massive traffic
-
Helps identify protocol types or sources
???? Optional: Use Monitoring Tools
Install or use tools like:
-
vnStat – network usage statistics
-
Netdata – real-time monitoring with web UI
-
Zabbix/Prometheus + Grafana – historical trends
⚠️ Common Types of DDoS and Symptoms
| DDoS Type | Symptom |
|---|---|
| SYN Flood | Many half-open TCP connections |
| UDP Flood | High bandwidth, usually to port 53/80 |
| ICMP Flood | Excessive ping requests (ICMP echo) |
| HTTP Flood | Thousands of GET/POST requests per sec |
| DNS Amplification | Spike in inbound DNS replies |
????️ Quick Response Actions
If you confirm a DDoS:
-
Block offending IPs (temporarily):
sudo iptables -A INPUT -s <IP> -j DROP -
Use rate limiting:
sudo iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/s --limit-burst 100 -j ACCEPT -
Adjust
sysctlsettings for TCP SYN flood protection:sudo sysctl -w net.ipv4.tcp_syncookies=1
???? Conclusion
DDoS detection is a combination of:
-
Traffic analysis
-
Resource monitoring
-
Connection tracking
-
Log review
For Linux systems—especially on Sun Servers, which are often mission-critical—automated monitoring and real-time alerts are essential. DDoS mitigation should be layered: software defenses on the server and upstream protection via firewalls or cloud services.
