How to Troubleshoot a DDoS Attack on a Server
Introduction
Nowadays, DDoS attacks are common on web servers. During a DDoS attack, a website or server may receive a large number of requests, which can cause high load, slow response, or downtime.
To troubleshoot the issue, we need to identify which IP address is receiving more connections and then find the website that is under attack. The following steps will help you investigate the attack from the server side.
Prerequisites
Before starting the troubleshooting, make sure you have:
- Root or sudo access to the server
- Basic Linux command-line knowledge
netstatorsscommand availabletcpdumpinstalled on the server- Web service running on port
80or443 - Permission to monitor network traffic on the server
Steps to Troubleshoot a DDoS Attack
Step 1: Check the IP Address Receiving More Connections
Run the following command to check the number of connections to port 80:
netstat -plan | grep :80 | awk '{print $4}' | cut -d: -f1 | sort | uniq -c | sort -nk1
This command will show the server IP addresses along with the number of connections.
The IP address with the highest number of connections will usually appear at the bottom of the output.
Example:
120 127.0.0.1 350 192.168.1.10 980 203.0.113.25
In this example, 203.0.113.25 has the highest number of connections, so we need to investigate this IP further.
Step 2: Monitor the Traffic Using tcpdump
Once you identify the affected IP address, use the following command to monitor the traffic:
tcpdump -A dst 203.0.113.25 -s 500
Here:
dstmeans destination IP203.0.113.25is the affected server IP-Adisplays packet content in readable ASCII format-s 500captures the first 500 bytes of each packet
If you want to check traffic coming from a specific source IP, use src instead of dst:
tcpdump -A src 203.0.113.25 -s 500
Step 3: Identify the Attacked Website
While monitoring the tcpdump output, look for the Host: header.
Example output:
GET / HTTP/1.1 Host: www.example.com User-Agent: Mozilla/5.0 Accept: text/html,application/xhtml+xml,application/xml Connection: keep-alive Referer: http://example.com
In the above output, the attacked website is:
www.example.com
This means the domain www.example.com is receiving a high number of requests.
Step 4: Check Apache or Web Server Logs
After identifying the domain, check the website access logs.
For Apache/cPanel servers, logs are usually located in:
/usr/local/apache/domlogs/
Example:
tail -f /usr/local/apache/domlogs/example.com
You can also check the top requesting IP addresses:
awk '{print $1}' /usr/local/apache/domlogs/example.com | sort | uniq -c | sort -nr | head
This will show the IP addresses making the highest number of requests to the website.
Step 5: Take Required Action
After confirming the attacked domain and source IPs, you can take action based on the situation.
Common actions include:
- Block suspicious IP addresses in firewall
- Enable DDoS protection from the data center or hosting provider
- Use Cloudflare or another CDN/WAF
- Disable or restrict the affected website temporarily
- Add rate limiting in the web server
- Check if the traffic is from bots or a specific country
- Contact the server provider if the attack is large
Example to block an IP using CSF:
csf -d 192.0.2.10 "Blocked due to high connections / DDoS traffic"
Conclusion
Troubleshooting a DDoS attack involves identifying the IP address receiving high connections, checking live traffic using tcpdump, finding the affected website through the Host: header, and reviewing web server logs.
Once the attacked website and source IPs are identified, proper mitigation steps such as firewall blocking, CDN protection, or provider-level DDoS filtering can be applied to reduce the impact.
