How to Check DDoS Attack on Linux Server | phoenixNAP KB


DDoS (D istributed Denial-o f-S ervice) attacks are among the most common server security threats with a steady year-over-yearincrease in attack frequency and strength. While server owners rarely anticipate DDoS-related threats, attacks can be mitigated by monitoring resources and acting promptly.

This article will show you how to check your Linux server for DDoS attacks and offer quick response tips.

What is a DDoS attack?

A DDoS is an attack in which a malicious actor exhausts all available server resources by overwhelming the network with requests. Unlike the standard DoS attack (Denial orf S ervice), DDoS:

  • employs multiple distributed devices, usually owned by unwitting people whose computer was hacked
  • .

  • It targets multiple devices and network protocols, not just network endpoints


Below are the three main types of DDoS attacks.

  • DDoS application layer (layer 7 attack). It focuses on the software that powers the server, such as Apache and Nginx web servers. This type of DDoS is the most common.
  • DDoS protocol. It targets operating systems and firewalls on essential network devices.
  • Volumetric DDoS. It generates an overwhelming amount of traffic to consume the available bandwidth and server performance.

How to check if there is a DDoS attack on a Linux server?

Malicious actors use standard network paths to perform DDoS attacks. Therefore, detecting attacks by monitoring network traffic for unusual connections is usually simple. The following sections list the easiest ways to check if your server is experiencing a DDoS attack.


the average server load with the

uptime: uptime command

The three values shown in the load average represent the average load over one minute, five minutes, and fifteen minutes, respectively

. A

useful reference number for acceptable server load is the number of threads available on a server. A load equal to or greater than the number of threads may suggest suspiciously high activity.

Enter the following command to check the number of threads available on the server:

grep processor /proc/cpuinfo | wc -l

In this example, the server has 2 threads available. An average load greater than 2 points to an unusually high server load.


network load If your

server is slow but remains accessible over a direct connection (for example, via IPMI), use one of the following tools to inspect your network load



is a bandwidth monitor and speed estimator designed to be easy to use and provide simple data visualization in a text-based environment


To start bmon, Type:

BMON Navigate to the

interface you want to inspect with the up or down arrow keys on the keyboard


BMON presents real-time information in multiple categories. Navigate through the categories by pressing the left or right arrow key.


The nload utility helps monitor network traffic and bandwidth usage in real time. Start nload by typing: nload

Press the left or right arrow key to navigate to the interface you want to monitor. The utility displays the details of incoming and outgoing network traffic for the chosen interface.

vnStat Like

nload, vnStat is a traffic monitoring utility. The benefit of vnStat is that it keeps hourly, daily, and monthly network traffic logs for the given interface.

Access vnStat by typing: vnstat

The utility

lists all available interfaces by default

. iftop The iftop

utility displays a list of network connections and related network information in an easy-to-use format. By default, the list is organized based on bandwidth usage.

Start iftop

with the following command: iftop

ifstat The ifstat

command generates network interface statistics. By default, displays incoming and outgoing network traffic data for each active interface. Access ifstat by typing: ifstat

Check which

IP addresses are connected to the server

Listing the IP addresses of devices currently connected to your server can help you identify potential threats. The netstat command is a utility that provides an overview of network activity, including information about connections.

The following command uses netstat with the -n, –t, and -u options to create output that contains numeric addresses of TCP and UDP connections. The output is then formatted using the awk, cut, and sort commands.

netstat -ntu|awk ‘{print $5}’|cut -d: -f1 -s|sort|uniq -c|sort -nk1 -r

The final output shows the number of active connections for each connected IP address


On busy servers, the list can be very long and difficult to read. You can filter the output to show all connections from the same subnet on one line. The following example combines the IP addresses into the same subnet mask

netstat -ntu|awk ‘{print $5}’|cut -d: -f1 -s |cut -f1,2 -d’.’| sed ‘s/$/.0.0/’|sort|uniq -c|sort -nk1 -r

The output now shows only one line. The number 3 before suggests that three connections come from that IP address.

How to mitigate a DDoS attack on a Linux server?

Once you confirm that a DDoS attack is occurring on the server, a few quick actions can mitigate the damage.

Use the route command to block the attacker’s IP address.

sudo route add [ip-address] reject

Alternatively, use the iptables firewall:

1. Block access to an IP address by typing:

iptables -A INPUT 1 -s [ip address] -j DROP/REJECT

2. Restart the service with:

iptables service restart

3. Save the new rule:

iptables save

4 service. Restart the Web services. For example, if you are running an Apache web server, type:

sudo systemctl restart apache2

The system is now configured to reject traffic from the suspicious IP address



This article introduced you to DDoS attacks and provided methods to identify them. In addition, he showed some quick response tips to help you combat the ongoing DDoS attack.

Properly securing a server minimizes the chances of a harmful DDoS attack. Read 21 Security Tips to Protect Your Server to learn more about server security.

Contact US