How to know DDoS or not?

W

webpixel2015-10-31 17:32:14

linux

webpixel, 2015-10-31 17:32:14

Greetings! How to know for sure if the site is being DDoSed or just a high load? The fact is that on a server with DDoS protection, 8 GB of RAM, 4 cores and only 1000 uniques per day, the site opens for a terribly long time, constantly 502 and 504 errors.
netstat says:

1 established)
      1 Foreign
      4 FIN_WAIT1
      8 LISTEN
     14 SYN_RECV
     31 LAST_ACK
     92 SYN_SENT
    118 CLOSE_WAIT
    120 FIN_WAIT2
    247 TIME_WAIT
    403 ESTABLISHED

did a primitive protection against SYN-flood, by activating: net.ipv4.tcp_syncookies = 1
but in fact this kind of ddos, I think, is filtered by the hosting provider itself.
On the server: debian 7.9, nginx 1.8, php5-fpm 5.4, mysql 5.5.
htop shows 100% load on all 4 cores and the use of 3GB out of 8. Can
you please tell me how to calculate the cause of the brakes? And u know for sure if ddos or website crashes... Thank you!

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

V

Vladimir, 2015-10-31
@webpixel

Very similar to application level DDoS. The hosting provider usually protects against brute attacks such as DNS amplification and so on, but your site is likely to be hit more subtly - they found the heaviest pages and constantly request them.
Learn what processes load the CPU? if you install nginx/php/mysql and use nginxtop and analyze nginx access logs for parasitic activity, be
sure to set up traffic monitoring, cpu, ram, etc.
Also study the output of netstat - sample ports 80 and 443 (if used) and see if most requests come from a small group of ip addresses - block them in iptables and look at the result.