Free Security Tool

Is My Server Under Attack Right Now?

Enter your server's IP address or hostname to run a quick analysis. We'll check DNS resolution, assess reachability, and show you what to look for if you suspect a DDoS attack.

Server IP or Hostname

Warning Signs

Signs Your Server Is Under Attack

CPU usage spikes to 100%

Sudden, sustained CPU saturation that doesn't correlate with legitimate traffic growth. Run top or htop and look for abnormal process loads or high system/interrupt CPU usage.

Network bandwidth saturated

Your uplink is maxed out. Check with iftop, nload, or vnstat. If incoming traffic far exceeds normal levels, volumetric attack is likely.

Connection table exhaustion

Run ss -s or netstat -an | wc -l. If you see tens of thousands of connections (mostly SYN_RECV, TIME_WAIT, or ESTABLISHED from random IPs), it's a connection flood.

Response times spike dramatically

Pages that load in 200ms now take 10+ seconds. API responses timeout. Your monitoring shows latency graphs going vertical. This affects real users first.

Packet loss on traceroutes

Run mtr to your server from an external location. If you see 50-100% packet loss at the last few hops, congestion from a volumetric attack is likely.

Traffic from unusual geographies

If your service is US-focused but you're seeing massive traffic from countries you don't operate in, a botnet may be targeting you. Check access logs for source IP geolocation patterns.

Log file anomalies

Apache/Nginx logs flooded with identical requests to the same endpoint. Syslog showing kernel: nf_conntrack: table full. Repeated connection resets. These are protocol-level attack indicators.

Understanding Attacks

Common DDoS Attack Types

Know what you're defending against

Volumetric Attacks

UDP floods, DNS amplification, NTP amplification. These overwhelm your bandwidth by sending massive amounts of traffic, often using amplification vectors to multiply the attacker's output by 10-51,000x.

Protocol Attacks

SYN floods, ACK floods, fragmented packet attacks. These exploit weaknesses in the TCP/IP stack to exhaust connection tables, firewall state, and load balancer capacity.

Application-Layer Attacks

HTTP floods, Slowloris, RUDY. These target web servers with seemingly legitimate requests, making them hard to distinguish from real traffic without deep packet inspection.

Amplification Attacks

DNS, NTP, Memcached, CLDAP, SSDP. Attackers send small requests to open servers with a spoofed source IP (yours), causing massive responses to flood your network.

Multi-Vector Attacks

Modern attacks combine volumetric, protocol, and application-layer techniques simultaneously. 65% of attacks now use 3+ vectors, requiring comprehensive detection that monitors all layers.

Carpet Bombing

Instead of targeting one IP, attackers spread traffic across your entire subnet. Each IP receives traffic below alert thresholds, but aggregate traffic overwhelms upstream links.

Export your results