Detecting DDoS Attacks in Server Logs

What is a DDoS Attack?

A Distributed Denial of Service (DDoS) attack floods your server with traffic from multiple sources, making it unavailable to legitimate users. Unlike single-source DoS attacks, DDoS attacks are harder to stop because traffic comes from thousands of IPs.

Types of DDoS Attacks

1. Volumetric Attacks

Flood bandwidth with massive traffic volume:

• UDP Floods: Massive UDP packets to random ports
• ICMP Floods: Ping flood attacks
• Amplification: DNS, NTP, SSDP reflection attacks

2. Protocol Attacks

Exploit weaknesses in network protocols:

• SYN Floods: Exhaust TCP connection tables
• Ping of Death: Malformed ping packets
• Smurf Attack: ICMP broadcast amplification

3. Application Layer Attacks (Layer 7)

Target specific applications - most visible in server logs:

• HTTP Floods: Massive GET/POST requests
• Slowloris: Keep connections open indefinitely
• POST Attacks: Large form submissions

Early Warning Signs in Logs

Traffic Anomalies

# Requests per minute (normal vs attack)
awk '{print $4}' access.log | cut -d: -f1-2 | uniq -c | sort -rn | head -20

# Compare to baseline - 10x+ increase = red flag

Single IP Floods

# Top IPs by request count
awk '{print $1}' access.log | sort | uniq -c | sort -rn | head -20

# If one IP has 10,000+ requests in an hour = suspicious

Unusual User-Agents

# Identical User-Agents across many IPs
awk -F'"' '{print $6}' access.log | sort | uniq -c | sort -rn | head -20

# Bots often use identical or empty User-Agents

Suspicious Patterns

# Requests to non-existent pages
grep " 404 " access.log | awk '{print $1}' | sort | uniq -c | sort -rn

# Same URL hit thousands of times
awk '{print $7}' access.log | sort | uniq -c | sort -rn | head -10

# POST requests (often used in attacks)
grep "POST" access.log | awk '{print $1}' | sort | uniq -c | sort -rn

Detection Techniques

Real-time Monitoring Script

#!/bin/bash
# Simple DDoS detection - run every minute via cron

LOG="/var/log/nginx/access.log"
THRESHOLD=1000  # requests per minute triggers alert

REQUESTS=$(tail -n 10000 $LOG | wc -l)

if [ $REQUESTS -gt $THRESHOLD ]; then
    echo "ALERT: $REQUESTS requests detected - possible DDoS"
    # Add notification (email, Slack, PagerDuty)
fi

Geographic Anomalies

# If you normally get US traffic but see 90% from one foreign country
# This can indicate a botnet from that region

# Use GeoIP lookup on top attacking IPs
geoiplookup 123.45.67.89

Mitigation Strategies

Immediate Response

1. Identify attacking IPs - Block the worst offenders
2. Enable rate limiting - Limit requests per IP
3. Activate CDN protection - Cloudflare, AWS Shield
4. Scale resources - If cloud-based, add capacity

nginx Rate Limiting

# Add to nginx.conf
limit_req_zone $binary_remote_addr zone=one:10m rate=10r/s;

server {
    location / {
        limit_req zone=one burst=20 nodelay;
    }
}

iptables Blocking

# Block specific IP
iptables -A INPUT -s 123.45.67.89 -j DROP

# Block entire subnet
iptables -A INPUT -s 123.45.67.0/24 -j DROP

# Rate limit connections per IP
iptables -A INPUT -p tcp --dport 80 -m connlimit --connlimit-above 50 -j DROP

Prevention Best Practices

• Use a CDN: Cloudflare, Fastly, or AWS CloudFront absorb attacks
• Implement rate limiting: At application and server level
• Monitor continuously: Set up alerts for traffic anomalies
• Have a response plan: Know who to contact and what to do
• Keep software updated: Patch known vulnerabilities
• Use anycast DNS: Distribute DNS across multiple locations