How to detect a DDoS attack:
signs, tools & response steps

Back to Blog

The First 60 Seconds Matter

When a DDoS attack hits your infrastructure, the difference between a minor incident and a major outage often comes down to how quickly you detect it. Most organizations discover they are under attack when users start complaining about slow page loads or connection timeouts. By that point, the attack may have been running for minutes, saturating links and exhausting server resources. Early detection gives you the time to respond before service degradation becomes service failure.

The challenge is that DDoS attacks do not always announce themselves with obvious symptoms. A volumetric attack that floods your link is easy to spot. But a low-and-slow application layer attack that opens thousands of connections and sends data at a trickle can be indistinguishable from a traffic spike caused by a product launch or viral social media post. Effective detection requires monitoring at multiple layers and understanding what "normal" looks like for your specific infrastructure.

Early Warning Signs of a DDoS Attack

Network-Level Indicators

These are the most reliable early indicators that something abnormal is happening at the network layer:

• Sudden PPS (packets per second) spike: A rapid increase in inbound packet rate, especially if it does not correspond to a known traffic event. PPS is often a better indicator than bandwidth because many attack types use small packets to overwhelm CPU and network stack processing.
• Bandwidth saturation: Your inbound link utilization jumps to 90-100% with no corresponding increase in legitimate application traffic. Check both BPS (bits per second) and PPS together; a high BPS-to-PPS ratio suggests large-packet volumetric attacks, while a high PPS-to-BPS ratio suggests small-packet floods.
• Protocol distribution shift: A sudden change in the proportion of UDP vs TCP traffic. Most web servers see predominantly TCP traffic. A jump in UDP percentage often indicates amplification or UDP flood attacks.
• Source IP anomalies: A flood of traffic from a large number of unique source IPs (botnet) or from a small number of IPs on specific source ports (amplification/reflection).

Application-Level Indicators

• Connection queue growth: The number of half-open TCP connections (SYN_RECV state) increases rapidly. Check with ss -s or netstat -an | grep SYN_RECV | wc -l.
• Response time degradation: Application response times increase across all endpoints, not just specific slow pages. This distinguishes a DDoS from an application bug.
• Error rate spike: HTTP 502/503/504 errors increase as backend servers become overwhelmed or as load balancers fail to connect to backends.
• CPU/memory exhaustion: Server resources are consumed by processing attack traffic rather than legitimate requests. Connection tracking tables fill up, causing new connections to be dropped.

What Normal Looks Like

You cannot detect anomalies without knowing your baseline. Before an attack happens, you need to understand your normal traffic patterns. This means tracking PPS, BPS, protocol distribution, connection rates, and source IP diversity over time. Flowtriq's dynamic baseline system does this automatically, learning your traffic patterns and adjusting thresholds continuously.

# Quick baseline check on Linux
# Current PPS (check every second for a minute)
while true; do
  cat /proc/net/dev | grep eth0 | awk '{print $3}'
  sleep 1
done

# Current connection states
ss -s

# Protocol distribution
cat /proc/net/snmp | grep -E "^(Tcp|Udp)"

Tools for DDoS Detection

Command-Line Monitoring

For immediate visibility during an attack, these Linux tools are essential:

• iftop - Real-time bandwidth usage by connection. Shows which IPs are consuming the most bandwidth.
• nload - Simple real-time bandwidth graph for each interface. Good for seeing if your link is saturated.
• tcpdump - Packet capture for deep analysis. Use filters to isolate suspicious traffic patterns.
• ss -s - Socket statistics summary showing connection states. Watch for SYN_RECV growth.
• vnstat - Traffic accounting that tracks bandwidth usage over time. Useful for comparing current traffic to historical norms.

Dedicated DDoS Detection

Command-line tools are useful during an active incident but they do not provide the continuous monitoring and automated alerting needed for reliable detection. Purpose-built DDoS detection tools like Flowtriq monitor your network 24/7 and alert you the moment anomalies appear. Key capabilities to look for:

• Per-second sampling: Tools that poll every 60 seconds will miss short-duration attacks and will always detect slower than tools that sample every second. Flowtriq checks /proc/net/dev counters every second.
• Dynamic baselines: Static thresholds require constant tuning and either miss attacks or generate false positives. Dynamic baselines learn your traffic patterns automatically.
• Attack classification: Knowing you are under attack is step one. Knowing it is a DNS amplification attack versus a SYN flood changes your response strategy entirely.
• PCAP capture: Automated packet capture during attacks gives you forensic evidence without requiring you to be running a manual capture at the time.
• Multi-channel alerting: Alerts need to reach the right people immediately. Support for Slack, Discord, PagerDuty, SMS, and webhooks ensures no one misses a critical alert.

Step-by-Step Response When You Detect an Attack

Step 1: Confirm It Is an Attack

Before escalating, verify that the traffic spike is malicious and not a legitimate surge. Check whether the traffic increase correlates with a known event (product launch, marketing campaign, being featured on a news site). Look at the traffic composition: legitimate surges are predominantly TCP on port 80/443, while attacks often show unusual protocol distributions or port patterns.

Step 2: Classify the Attack Type

Determine whether you are facing a volumetric attack (bandwidth saturation), a protocol attack (state exhaustion), or an application-layer attack (resource exhaustion). This classification determines your mitigation strategy. Flowtriq's automatic classification handles this within seconds of detection.

Step 3: Apply Immediate Mitigation

Based on the attack type, apply host-level firewall rules to reduce the impact while you work on upstream mitigation. For SYN floods, enable SYN cookies and rate-limit new connections. For amplification attacks, drop traffic from the abused source port. For application-layer attacks, rate-limit by IP or deploy challenge mechanisms.

Step 4: Engage Upstream Mitigation

Contact your ISP or DDoS mitigation provider with the attack details. Share PCAP evidence to expedite the response. If you use a scrubbing service, activate traffic diversion. If you need a BGP blackhole, request it with the specific IP prefix being attacked.

Step 5: Document and Monitor

Record the timeline, attack characteristics, mitigation actions taken, and their effectiveness. Monitor for attack pattern changes; sophisticated attackers will adapt their approach when initial vectors are mitigated. Keep mitigation in place for at least 24 hours after the attack appears to stop.

Setting Up Proactive Detection with Flowtriq

Flowtriq is designed to detect DDoS attacks within seconds and deliver classified alerts to your preferred channels. Setup takes under 5 minutes: install the lightweight agent on your server, configure your notification channels, and the system starts learning your traffic baselines immediately.

Plans start at $9.99/mo per node with a free 7-day trial. Every plan includes per-second detection, automatic attack classification, PCAP forensics, and unlimited notification channels.

Back to Blog

Related Articles