IRCNow

Under Attack?

To see if there is a ddos attack, first run

$ ping example.com

on your hostname. If you get 80-90% packet loss, but some packets still go through, you may have a DDoS attack. The packets in this case are mostly flooding your internet pipe but some are able to pass through. However, if you get 100% packet loss, it could simply be a networking mistake.

Check your VNC web console if it can still load. If it feels sluggish, run top. If you see the system/interrupt CPU usage shoot up to 50% each, for a total of almost 100% cpu usage, then either you have a runaway process or you are being DDoSed. If your CPU usage is low, under 5%, it does not look like a DDoS attack.

Next, run this command:

$ doas pfctl -f /etc/pf.conf

This will empty the existing state tables for pf. Then, run

$ doas pfctl -sr -v

This will show you how many packets are arriving. Since you emptied the state tables, if you now see 1000s of packets coming in, those packets came in the last few seconds, indicating that you are certainly under attack.

To analyze the types of packets, use tcpdump:

$ doas tcpdump -s 1500 -A -v -n -w flood.pcap

To stop collection, type ctrl+c. Make sure to save the pcap file because it is very useful for forensics and for learning how to block attacks. Then, to read the pcap:

$ doas tcpdump -s 1500 -A -v -n -r flood.pcap

If you see hundreds of trash packets, like reflected dns packets or reflected http packets, you know it's a ddos attack


Cloudflare/Voxility's DDoS protection can mangle SSL certs from specific domains (I noticed them doing this for let's encrypt):

$ openssl s_client -connect 172.65.32.248:443

It just hangs there with no certificate being issued.

Also DDoS has been known to mangle SMTP, NTP, and DNS packets. Watch out!