Introduction

Nowadays, DDoS attacks are common on web servers. During a DDoS attack, a website or server may receive a large number of requests, which can cause high load, slow response, or downtime.

To troubleshoot the issue, we need to identify which IP address is receiving more connections and then find the website that is under attack. The following steps will help you investigate the attack from the server side.

Prerequisites

Before starting the troubleshooting, make sure you have:

  • Root or sudo access to the server
  • Basic Linux command-line knowledge
  • netstat or ss command available
  • tcpdump installed on the server
  • Web service running on port 80 or 443
  • Permission to monitor network traffic on the server

Steps to Troubleshoot a DDoS Attack

Step 1: Check the IP Address Receiving More Connections

Run the following command to check the number of connections to port 80:

netstat -plan | grep :80 | awk '{print $4}' | cut -d: -f1 | sort | uniq -c | sort -nk1

This command will show the server IP addresses along with the number of connections.

The IP address with the highest number of connections will usually appear at the bottom of the output.

Example:

120 127.0.0.1
350 192.168.1.10
980 203.0.113.25

In this example, 203.0.113.25 has the highest number of connections, so we need to investigate this IP further.

Step 2: Monitor the Traffic Using tcpdump

Once you identify the affected IP address, use the following command to monitor the traffic:

tcpdump -A dst 203.0.113.25 -s 500

Here:

  • dst means destination IP
  • 203.0.113.25 is the affected server IP
  • -A displays packet content in readable ASCII format
  • -s 500 captures the first 500 bytes of each packet

If you want to check traffic coming from a specific source IP, use src instead of dst:

tcpdump -A src 203.0.113.25 -s 500

Step 3: Identify the Attacked Website

While monitoring the tcpdump output, look for the Host: header.

Example output:

GET / HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0
Accept: text/html,application/xhtml+xml,application/xml
Connection: keep-alive
Referer: http://example.com

In the above output, the attacked website is:

www.example.com

This means the domain www.example.com is receiving a high number of requests.

Step 4: Check Apache or Web Server Logs

After identifying the domain, check the website access logs.

For Apache/cPanel servers, logs are usually located in:

/usr/local/apache/domlogs/

Example:

tail -f /usr/local/apache/domlogs/example.com

You can also check the top requesting IP addresses:

awk '{print $1}' /usr/local/apache/domlogs/example.com | sort | uniq -c | sort -nr | head

This will show the IP addresses making the highest number of requests to the website.

Step 5: Take Required Action

After confirming the attacked domain and source IPs, you can take action based on the situation.

Common actions include:

  • Block suspicious IP addresses in firewall
  • Enable DDoS protection from the data center or hosting provider
  • Use Cloudflare or another CDN/WAF
  • Disable or restrict the affected website temporarily
  • Add rate limiting in the web server
  • Check if the traffic is from bots or a specific country
  • Contact the server provider if the attack is large

Example to block an IP using CSF:

csf -d 192.0.2.10 "Blocked due to high connections / DDoS traffic"

Conclusion

Troubleshooting a DDoS attack involves identifying the IP address receiving high connections, checking live traffic using tcpdump, finding the affected website through the Host: header, and reviewing web server logs.

Once the attacked website and source IPs are identified, proper mitigation steps such as firewall blocking, CDN protection, or provider-level DDoS filtering can be applied to reduce the impact.

Leave a Reply