•  Home
  •  Dashboard
  •  Company
    • About Us
    • Blog
    • Careers
    • Contact Us
    • Data Centers
    • Looking Glass
    • Network
    • Reseller
  •  Hosting Services
    • Infrastructure
      • iColocation
    • Compute
      • cMetal
      • cVirtual
    • Storage
      • sObject
      • sBlock
    • Networking
      • nCDN
      • nIP Transit
      • nWavelength
    • Protection
      • pBackup
      • pDDoS
  •  Solutions
    • Ecommerce
    • Finance
    • Gaming
    • Hosting
    • Management
    • Security
    • System Integrator
  •  Support
    • Community
    • Knowledge Base
    • Open A Ticket
  •  USA & Canada: 800-933-1517
  •  International: 626-549-2801
  •  Email: sales@psychz.net
  • Services
    • new-colocation-header-img
      Infrastructure
      • iColocation
    • new-compute-header-img
      Compute
      • cMetal
      • cVirtual
    • new-storage-header-img
      Storage
      • sObject
      • sBlock
    • new-networking-header-img
      Networking
      • nCDN
      • nIP Transit
      • nWavelength
    • new-protection-header-img
      Protection
      • pBackup
      • pDDoS
  • Solutions
    • Ecommerce
    • Security
    • Gaming
    • Hosting
    • Management
    • Finance
    • System Integrator
  • Dashboard

What are some signs of DDoS attack?

  • Home
  • Client
  • Qa Forum
  • What are some signs of DDoS attack?

Posted By: Abian | 1 Replies | Last Reply On: Apr 07, 2017 09:48:58

What are some signs of ddos attack?  Typically the service becomes unavilable when under heavy attack but that can happen also due to load on the server. 

Psychz - Sharad

Votes: 0Posted On: Apr 07, 2017 09:48:58
 

How to detect the DDoS attack?

With time, hackers have evolved with techniques to bring down your server by flooding it with traffic that is not real. Regardless of what hardware upgrades you have done to increase the performance of your server, the hacker can still simulate more users than your server can handle.

 

How Is a DDoS Organized?

To execute an attack, hackers use botnets which are zombie machines(hacked PCs or servers). Hackers use phishing emails and other methods to install malware(rootkits and trojans) on remote machines. After installing malware on these machines, the attacker gets to control them from any remote location. When ready to attack, the attacker remotely triggers these zombie machines to flood the target IP address.

 

Detecting an active attack on your server

In most of the attacks, the server crashes. That should be your first clue. However, in some of the cases the server returns "service unavailable" error.
Another hint is that the server might not completely crash, but services become too slow. Genuine users can feel the lag while trying to access the website or service.

In the following article we will see how to check if there is an attack on your server using "netstat" command

Netstat is a utility included in any Windows operating or Linux system.

Netstat command displays active TCP connections, ports on which the computer is listening, Ethernet statistics, the IP routing table, IPv4 statistics (for the IP, ICMP, TCP, and UDP protocols), and IPv6 statistics (for the IPv6, ICMPv6, TCP over IPv6, and UDP over IPv6 protocols). Used without parameters, netstat displays active TCP connections.

 

For Linux environment, you can find more information about the command, parameters and it's usage using "man netstat" command.

netstat –an

 

Sample output

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State     

tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN    

tcp        0      0 0.0.0.0:6767            0.0.0.0:*               LISTEN    

tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN    

tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN    

tcp        0    216 45.34.41.202:22         49.248.152.106:41286    ESTABLISHED

tcp        0      0 45.34.41.202:22         49.248.152.106:41284    ESTABLISHED

tcp        0      0 45.34.41.202:22         45.34.97.74:54842       ESTABLISHED

tcp        0      0 45.34.41.202:22         45.34.97.74:55328       ESTABLISHED

tcp6       0      0 ::1:25                  :::*                    LISTEN    

tcp6       0      0 :::111                  :::*                    LISTEN    

tcp6       0      0 :::22                   :::*                    LISTEN    

udp        0      0 0.0.0.0:67              0.0.0.0:*                         

udp        0      0 0.0.0.0:111             0.0.0.0:*                         

udp        0      0 0.0.0.0:679             0.0.0.0:*                         

udp        0      0 0.0.0.0:28569           0.0.0.0:*                         

udp        0      0 0.0.0.0:46055           0.0.0.0:*                         

udp        0      0 0.0.0.0:5353            0.0.0.0:*                         


Above output will show you the way your server would look in a normal scenario. You can see different IP addresses connected to specific ports.

When under attack

  tcp        0    216 45.34.41.202:22         49.248.152.106:41286    TIME_WAIT

  tcp        0    216 45.34.41.202:22         49.248.152.106:41287    TIME_WAIT

  tcp        0    216 45.34.41.202:22         49.248.152.106:41288    TIME_WAIT

  tcp        0    216 45.34.41.202:22         49.248.152.106:41289    TIME_WAIT

  tcp        0    216 45.34.41.202:22         49.248.152.106:41290    TIME_WAIT

  tcp        0    216 45.34.41.202:22         49.248.152.106:41291    TIME_WAIT

  tcp        0    216 45.34.41.202:22         49.248.152.106:41292    TIME_WAIT

  tcp        0    216 45.34.41.202:22         49.248.152.106:41293    TIME_WAIT

  tcp        0    216 45.34.41.202:22         49.248.152.106:41294    TIME_WAIT

  tcp        0    216 45.34.41.202:22         49.248.152.106:41295    TIME_WAIT

  tcp        0    216 45.34.41.202:22         49.248.152.106:41296    TIME_WAIT

  tcp        0    216 45.34.41.202:22         49.248.152.106:41297    TIME_WAIT


The above output is simulated, however, you can notice that the same IP is connecting to immediate ports and the connection is timing out. It clearly indicates that the attack was initiated from that one IP and is trying to flood the server by generating meaningless requests. 

Here we have shown only a few connections for your understanding but in real DDoS attack the connections can be thousands.

Was this reply helpful?

Related topics

  • What is DDoS and How to Protect Against a DDoS Attack
  • Common Types of Network Attacks
  • How To Protect Server From A DDoS Attack?
  • How to temporarily/permanently enable DDoS IP diversion for a Single IP Address?
  • DDoS Mitigation
  • 100 Gbps DDoS Protection
  • fully ddos 100gbps protected dedicated servers
  • Layer 7 DDoS
  • How to check if a server is under DDoS attack?
  • Best Open Source Cloning Software
  • Complete Guide To Psychz's CDN
  • Top Screen Recording Softwares
  • CDN Hosting and why Every website should utilize a CDN
  • What is Intel Xeon Processor & Why Is It Used For Servers?
  • AMD'S EPYC vs INTEL XEON
Copyright © 2025 Psychz Networks,
A Profuse Solutions Inc Company
Hosting Services
Infrastructure
  • iColocation
Compute
  • cMetal
  • cVirtual
Storage
  • sObject
  • sBlock
Networking
  • nCDN
  • nIP Transit
  • nWavelength
Protection
  • pBackup
  • pDDoS
Company
  • About Us
  • Blog
  • Careers
  • Contact Us
  • Data Centers
  • Looking Glass
  • Network
  • Reseller
Policies
  • Acceptable Usage Policy
  • Privacy Policy
  • Service Level Agreement
  • Terms and Conditions
Support
  • Community
  • Knowledge Base
  • Open A Ticket
Get In Touch
  • Psychz Networks,
    A Profuse Solutions Company
    611 Wilshire Blvd #300
    Los Angeles,California 90017
    USA
  • US/Canada: 800-933-1517
  • International: 626-549-2801