How do I differentiate a DDoS attack from a DoS attack?

  • My server is under attack on an specific port but I am confused whether is a DDoS attack or a DoS attack (if it requires a botnet or is using some kind of trick). The entire server is available (website, SSH, SMTP, etc...) except the port attacked.

    The service that runs on that port is using 8-10% CPU and about 900 MB RAM (which is normal, even lower) DoS definition?

    My provider has detected it as a DDoS attack and sent my server to the mitigation infrastructure.

    I have tried to block all incoming traffic from that port using iptables allowing just my IP address with no success, the service was still unavailable (I tried to kill the process -9 and starting it again with all connections blocked).

    iptables -A INPUT -p tcp --dport xxxx -s myip/32 -j ACCEPT
    iptables -A INPUT -p udp --dport xxxx -s myip/32 -j ACCEPT
    iptables -A INPUT -p tcp --dport xxxx -j DROP
    iptables -A INPUT -p udp --dport xxxx -j DROP

    The weird thing is if I open the service on another port, everything is fine. The server responds as if it wasn't being attacked, the same happens with all other applications.

    tcpdump detects tons of UDP packets like:

    No: 6610
    Time: 3.517741
    Destination: My server
    Protocol: UDP
    Length: 46
    Info: 18926 -> xxxx Len=4

    I'd like to know how do I diagnose this kind of attack since I am still new to this networking world or if I am missing doing something.

  • The main difference between a DoS and DDoS is that a DDoS (distributed) requires multiple hosts to flood one or multiple target servers, in other words, the volume of a DDoS is quite heavier. In your case, if your server can provide other services other than the targeted port and is taking few physical resources, chances are you are currently victim of a DoS, which means one specific computer has scanned an open port and is trying to saturate it at the moment (it could be for example a brute-force attack trying multiple combinaisons of credentials onto a service in order to login or a SYN flood attack, there is a wide choice of possibilities). Also, if you were involved in a DDoS attack, it would be probable that the entire server would not be able to provide any kind of service at all.

Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2