How can I determine the method of this DDoS attack?

Question

My server went down earlier - looks like a DDoS. A spike in traffic to around 13mbit, the swap goes from idle to maxed in about 5 minutes, and server stops responding.

I would like to protect against the attack but I can't determine the method. Server logs show no increased http connections or usage, nor mysql or mail usage above usual levels. Server graphs only show spikes in Network, I/O, and Memory Usage:

Memory Usage: http://i.imgur.com/UwGru.gif IO Graph: http://i.imgur.com/DVECD.gif

I can't fathom what type of attack this is. Where could this be targetting and how can I protect against it? All comments gratefully received.

Request logging? Software and site technologies? Any details?? — Chris S, Nov 07 '12 at 18:50

score 0 · Answer 1 · answered Nov 07 '12 at 18:51

0

The spike in IO is likely your system trying to use all that swap. The first thing I would do is figure out what process is using all that swap. You may need to patch your ps in order to do this easily: http://r0bertz.blogspot.com/2010/04/show-real-swap-usage-for-each.html

answered Nov 07 '12 at 18:51

akraut

311
1
3
17

Thank you - that's useful for the future. If not httpd, mysql, or mail, what process could a DDos cause to fork? – monkeymatrix Nov 07 '12 at 21:38

score 0 · Answer 2 · answered Nov 07 '12 at 18:56

0

SYN-Flodding?

If the DDoS came from a defined geographic region, ask your provider for blocking them.

answered Nov 07 '12 at 18:56

MemLeak

169
8

SYN flooding seems like a possibility, but any way I can confirm? Obviously box is now rebooted so netstat isn't saying much, but box is running CentOS and Cpanel. – monkeymatrix Nov 07 '12 at 19:20

How can I determine the method of this DDoS attack?

2 Answers2