What Is a DDoS Attack and How to Defend Against It
A DDoS (Distributed Denial of Service) attack is an advanced form of DoS attack designed to make a website or online service inaccessible to legitimate users.
Unlike a traditional DoS, a DDoS attack is launched from a distributed network of compromised devices (a botnet), often infected with malware or trojans and controlled remotely.
The target server is overwhelmed by a massive volume of simultaneous requests, exceeding its processing capacity and causing service disruption.
Phases of a DDoS Attack
- Intrusion Phase: the attacker compromises multiple vulnerable systems and infects them with remote control tools.
- Distributed Attack Phase: once the botnet is assembled, the attacker directs the traffic flood to the victim’s server, causing overload and failure.
How to Detect a DDoS Attack
1. Monitor server load
On Linux systems, check the server load using:
# w # uptime
Example output:
12:00:36 up 1 day, 20:27, 5 users, load average: 0.70, 0.70, 0.57
If the average load exceeds 5, further investigation is advised.
2. Check active HTTP processes
# ps -aux | grep HTTP | wc -l
More than 100 active HTTP connections may indicate an ongoing DDoS attack.
3. Identify suspicious IPs
# netstat -lpn | grep :80 | awk '{print $5}' | sort
If you see over 30 connections from the same IP or multiple IPs from the same network, it could be a sign of attack.
How to Mitigate a DDoS Attack
Block Suspicious IPs with CSF
If you are using ConfigServer Security & Firewall (CSF), block suspicious IPs using:
# csf -d 127.0.0.0 # csf -d 111.0.0.0/8 # csf -d 111.111.0.0/16 # csf -d 111.111.111.0/24
Use Advanced Protection Like Cloudflare
Cloudflare is a highly effective global security platform that helps mitigate even large-scale and complex DDoS attacks.
💡 Technical Tip
Every DDoS case is unique. If you suspect an attack, contact our technical support immediately for analysis and a custom mitigation strategy.