Security

DDoS: Traffic Analysis and Dump

How to capture and analyze traffic during a DDoS attack to identify the type and origin

When your server is under attack, capturing a traffic dump lets you understand the attack type, identify patterns, and share evidence with your provider to activate mitigation.

Required Tools

# Ubuntu/Debian
sudo apt install tcpdump ngrep net-tools

# CentOS/RHEL
sudo yum install tcpdump ngrep net-tools

Quick Capture with tcpdump

Basic Dump (All Packets on Main Interface)

# Identify your network interface
ip a
# usually eth0, ens3, ens18

# Capture 60 seconds on eth0 and save to file
sudo tcpdump -i eth0 -w /tmp/attack-$(date +%Y%m%d-%H%M%S).pcap -G 60 -W 1

Capture Filtering by Port

# Capture only traffic on port 80/443 (HTTP attacks)
sudo tcpdump -i eth0 -w /tmp/dump-http.pcap port 80 or port 443

# Capture only UDP (volumetric/amplification)
sudo tcpdump -i eth0 -w /tmp/dump-udp.pcap udp

# Capture only SYN flood (TCP)
sudo tcpdump -i eth0 -w /tmp/dump-syn.pcap "tcp[tcpflags] & (tcp-syn) != 0"

Limit Dump Size

# Maximum 100 MB, then stop
sudo tcpdump -i eth0 -w /tmp/dump.pcap -C 100

# Capture for 30 seconds
sudo timeout 30 tcpdump -i eth0 -w /tmp/dump.pcap

Real-Time Analysis

Count Packets by Source IP (Top Attacker)

# Count source IPs in real-time
sudo tcpdump -i eth0 -nn -c 10000 2>/dev/null | \
  awk '{print $3}' | \
  cut -d. -f1-4 | \
  sort | uniq -c | sort -rn | head -20

View Active Connections by Count

# Connections by TCP state
ss -s

# Top IPs by active connections
ss -tn | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -rn | head -20

# Alternative with netstat
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -rn | head -20

Real-Time Inbound Traffic

# Bytes per second per interface
watch -n1 'cat /proc/net/dev | grep eth0'

# Or with ifstat (install if missing)
sudo apt install ifstat -y
ifstat -i eth0 1

Identify Attack Type

SYN Flood

sudo tcpdump -i eth0 -nn "tcp[tcpflags] & (tcp-syn) != 0 and tcp[tcpflags] & (tcp-ack) == 0" | \
  awk '{print $3}' | cut -d. -f1-4 | sort | uniq -c | sort -rn | head -10

Symptoms: many SYN without ACK response, ss -s shows high SYN-RECV.

UDP Flood / Amplification (DNS, NTP, SSDP)

sudo tcpdump -i eth0 -nn udp | \
  awk '{print $3, $5}' | sort | uniq -c | sort -rn | head -20

Source port 53 = DNS amplification, port 123 = NTP amplification.

HTTP Flood (Layer 7)

# Analyze Nginx access log
sudo tail -f /var/log/nginx/access.log | awk '{print $1}' | sort | uniq -c | sort -rn | head -20

# Requests by user-agent
sudo awk '{print $12}' /var/log/nginx/access.log | sort | uniq -c | sort -rn | head -10

# Requests by URL
sudo awk '{print $7}' /var/log/nginx/access.log | sort | uniq -c | sort -rn | head -10

ICMP Flood (Ping Flood)

sudo tcpdump -i eth0 -nn icmp | \
  awk '{print $3}' | cut -d. -f1-4 | sort | uniq -c | sort -rn | head -10

Measure Traffic Volume

# PPS (packets per second) and BPS (bits per second) on eth0
sudo tcpdump -i eth0 -nn -q 2>&1 | pv -l -r > /dev/null

# Or with iftop (visual interface)
sudo apt install iftop -y
sudo iftop -i eth0 -n

Analyze Dump with Wireshark

After capturing the .pcap file, open it with Wireshark on your PC:

Useful filters in Wireshark:

# SYN only
tcp.flags.syn==1 && tcp.flags.ack==0

# UDP only
udp

# Specific IP
ip.src == 1.2.3.4

# Top talkers: Statistics > Conversations

# Port distribution: Statistics > Endpoints

What to Send to Your Provider

When opening a ticket with DeluxHost or your upstream provider, include:

  1. .pcap file (even just 30-60 seconds is enough)
  2. Output of ss -s during the attack
  3. Top 20 source IPs (output from uniq -c above)
  4. Traffic type (UDP/TCP/ICMP, destination port)
  5. Estimated PPS and Mbps during peak

After Dump: Quick Blocking

# Block single IP
sudo iptables -A INPUT -s 1.2.3.4 -j DROP

# Block CIDR range
sudo iptables -A INPUT -s 1.2.3.0/24 -j DROP

# Save rules (Ubuntu)
sudo iptables-save > /etc/iptables/rules.v4

# Blocking with ipset (for many IPs)
sudo apt install ipset
sudo ipset create blacklist hash:ip
sudo ipset add blacklist 1.2.3.4
sudo iptables -A INPUT -m set --match-set blacklist src -j DROP

See also the guide Block IPs and DDoS for complete mitigation.

Nginx - Security Headers and SSL Hardening

How to configure HSTS, CSP, X-Frame-Options and other security headers on Nginx, with A+ SSL

Malware Scanning (rkhunter + ClamAV)

Detect rootkits and viruses on your VPS with rkhunter and ClamAV.

On this page

Required ToolsQuick Capture with tcpdumpBasic Dump (All Packets on Main Interface)Capture Filtering by PortLimit Dump SizeReal-Time AnalysisCount Packets by Source IP (Top Attacker)View Active Connections by CountReal-Time Inbound TrafficIdentify Attack TypeSYN FloodUDP Flood / Amplification (DNS, NTP, SSDP)HTTP Flood (Layer 7)ICMP Flood (Ping Flood)Measure Traffic VolumeAnalyze Dump with WiresharkWhat to Send to Your ProviderAfter Dump: Quick Blocking