How to Troubleshoot a DDoS Attack?

By on September 8th, 2016

What is a DDoS attack?

DDoS stands for Distributed Denial of Service. It is a variant of the infamous DoS attack. A DoS attack is a type of attack that the attackers stops the service so that the legitimate users also cannot access the service.The attack will be from a single computer system. This is achieved by sending excessive connection requests to a web server. Every server will have a limit on number of requests that can be handled at a time. When the number of requests exceeds this limit, the server will overloaded and the service will not be available to users. These users can be legitimate users also, so that the service from the web server is denied by the hacker.

In a DDoS attack, the requests from the hacker are sent from a wide range of compromised computers. Computers will often be infected with Trojan viruses. As the attack is launched from dynamic networks or hosts, it is quite diffucult to troubleshoot this.

We can prevent this attack up to certain extend by securing our networks and servers.


How DDoS attack works?

The following diagram displays how a DDoS attack works. Let’s check each element in detail.



The systems involved in a DDoS attack are classified into two categories, ‘Master’ and ‘Slave’. The attacker and the handlers are the masters here. The masters control the slaves, zombies, and trigger the attack upon the victim.



This is the host who initiates the attack. This computer controls the handlers.


The handler is a computer system which then controls multiple zombies. The zombies are used to send requests to the victim.


The zombie is an already compromised system which is sending multiple requests to the Victim server. These are controlled by the handlers.


The server which is the aim of the attack is called the victim. The server gets overloaded with multiple request, so that it’s service becomes unavailable even to the legitimate users. The requests are generated from different IP addresses, so that the troubleshooter cannot block them as easily.

The DDoS attack is done in two phases.

1) Intrusion hase

2) Distributed DoS attack phase


Intrusion Phase

In the first phase, compromising different computer systems is done world-wide. The attacker compromises weak computers from various network.


Distributed DoS attack phase

The second phase is the Distributed DoS attack. In this phase, the attacker installs the tools for the DDoS attack and attacks the victims server or web sites.


Troubleshooting DDoS attack

As mentioned earlier, it is not easy to troubleshoot the DDoS attacks. If you think your server is undergoing a DDoS attack, you need to confirm this. To check whether a server is under a DDoS attack, please follow the instructions below.


Check whether your machine’s load is high

The first thing to do is to check the machine’s load. Please keep in mind that we are troubleshooting a Linux server in this tutorial. In a Linux server, you can find out the server load from back end using many commands. Here, we are going to use the ‘w’ command. You may also use the ‘uptime’ command.

# w

12:00:36 up 1 day, 20:27, 5 users, load average: 0.70, 0.70, 0.57

We can find that 5 users are logged in and the average load on the server is 0.70. Usually if the load is five or greater, we need to investigate for the possibility of the DDoS attack. After checking the server load, we need to determine the number of HTTP process running.


Determine the number of HTTP process running

We can find the number of HTTP process running using the following command.

# ps -aux | grep HTTP | wc -l


 It’s normal in a heavy server around 100 connections at a time. If the number of processes is much more, then we can consider this to be DDoS attack. Now we need to find out the networks where the attack is coming from. Always keep in mind that identifying each system involved in the attack is not relevant in the case of DDoS attacks. Hence the network address is important rather than individual IP addresses.

Now we need to determine the IP addresses of the attacking hosts/networks.

Run the following command in the command line to get the IP addresses.

 # netstat -lpn | grep :80 | awk ‘{print $5}’ | sort

Now check each block of IP addresses from the output. If there are more than 30 connections from a single IP address, try to identify such IP addresses/hosts from the list, printed on the screen. If there are more than five IP addresses/hosts connected from the same network, it’s clear that your server is under a DDoS attack.

Now, you need to block the IP addresses or networks in your firewall. Please use the command if you are using ConfigServer Security&Firewall.

# csf -d IP address

eg: # csf -d

 This command will add the IP address to the file “/etc/csf/csf.deny”.

Use the following command to block an IP range.

# csf -d IP range

To block the range, use the following command.

# csf -d

 To block the range, use the following command.

# csf -d

To block the range, use the following command.

# csf -d


This is how to identify and troubleshoot a DDoS attack in a server running Linux.


If you need any further assistance please contact our support department.



Leave a Reply