What Is a DDoS Attack?
A DDoS, or "distributed denial-of-service," attack is a type of cyber attack that aims to overwhelm a targeted system with a flood of traffic. The attacker achieves this by using a network of compromised machines, also known as a botnet, to send traffic to the targeted system. The result is that the targeted system cannot operate normally due to the sheer volume of traffic it receives.
What happens if there is a DDoS attack on your system?
a) Website keeps loading.
b) Website timeout error.
c) Database connection timeout.
d) Email sending/receiving fail.
e) RAM/CPU overloaded.
How to detect DDoS attacks?
It is better to detect the attack as sooner as possible before it damages your system more. You can use the netstat command to display your system's current TCP/IP network connections.
Detect DDoS attack on Windows System
1. First, log in to your server via RDP. You can refer to how to login to your server via RDP.
2. Go to start and open run and type cmd, and hit enter. It will open the command prompt.
3. Type netstat-noa to view all the network connections to your system. You can also use the below commands as per your requirement.
→ netstat -n: This command displays all active TCP connections to your system. It includes IP addresses and port number details.
→ netstat -o: This command displays all active TCP connections, including the process ID of all the connections to your system. Once you get the PID, you can find the application running the same process ID in the Windows task manager.
→ netstat -a: This command displays all active TCP connections. It also displays all the TCP/UPD ports the system listens to.
When the statistics are displayed, find the IP Address with many TCP connections. It could be a DDoS attack from the same IP Address. You can block the same IP Address on Windows Firewall. Please refer to how to block IP Addresses on the windows firewall.
Detect DDoS attack on Linux System
1. Log in to the Linux server using SSH.
2. Run the below command to find the IP Addresses connected to your Linux system.
# netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c
3. Run the below command to find the source IP address and the number of connections of the same IP Address to your Linux system.
# netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
4. Run the below command to check the active TCP connection number on port 80.
# netstat -n | grep :80 |wc -l
5. If there is an IP Address with too many connections, it could be an attacker's IP address. You can block it using the below command.
# route add ipaddress reject
6. You can also block it using the iptables on a Linux machine.
That's all.
