There are two main manifestations of DDoS. One is a traffic attack, which is mainly an attack on network bandwidth, that is, a large number of attack packets cause network bandwidth to be blocked, and legitimate network packets are flooded by false attack packets and cannot reach the host; the other is The resource exhaustion attack is mainly an attack on the server host, that is, a large number of attack packets cause the host’s memory to be exhausted or the CPU is occupied by the kernel and applications, resulting in the inability to provide network services.
How to judge whether the website is under traffic attack? You can use the Ping command to test. If you find that the Ping timeout or severe packet loss (assuming it is normal), you may have suffered a traffic attack. At this time, if you find that your host is connected to The server on the same switch can no longer be accessed, and it is basically certain that it has suffered a traffic attack. Of course, the prerequisite for this test is that the ICMP protocol between you and the server host is not blocked by devices such as routers and firewalls. Otherwise, you can use the Telnet host server’s network service port to test, and the effect is the same. But one thing is certain. If Ping your host server and the host server connected to the same switch are normal, and suddenly both of them fail to ping or the packet is severely lost, then if the network failure factor can be eliminated, it must be suffered. In addition to traffic attacks, another typical phenomenon of traffic attacks is that once you suffer a traffic attack, you will find that connecting to a website server with a remote terminal will fail.
Compared with traffic attacks, resource exhaustion attacks are easier to judge. If the Ping website host and the visited website are normal, and suddenly the website access is very slow or inaccessible, and the Ping can still be pinged, it is very likely. Suffered a resource exhaustion attack. At this time, if a large number of SYN_RECEIVED, TIME_WAIT, FIN_WAIT_1 and other states are observed with the Netstat-na command on the server, but there are few ESTABLISHED, it can be determined that it must have suffered a resource exhaustion attack. Another phenomenon that belongs to resource exhaustion attacks is that the Ping of its own website host fails or the packet loss is serious, while the server on the same switch of Ping and its host is normal. The reason for this is that the website host is attacked. As a result, the CPU utilization of the system kernel or certain applications reaches 100% and cannot respond to the Ping command. In fact, the bandwidth is still available. Otherwise, the host connected to the same switch will not be able to Ping.