DeluxHost
Back to Docs
Security·4 min read

DDoS: Traffic Analysis and Dump

How to capture and analyze traffic during a DDoS attack to identify the type and origin

When your server is under attack, capturing a traffic dump lets you understand the attack type, identify patterns, and share evidence with your provider to activate mitigation.

02

Required Tools

bash
# Ubuntu/Debian
sudo apt install tcpdump ngrep net-tools

# CentOS/RHEL
sudo yum install tcpdump ngrep net-tools
03

Quick Capture with tcpdump

Basic Dump (All Packets on Main Interface)

bash
# Identify your network interface
ip a
# usually eth0, ens3, ens18

# Capture 60 seconds on eth0 and save to file
sudo tcpdump -i eth0 -w /tmp/attack-$(date +%Y%m%d-%H%M%S).pcap -G 60 -W 1

Capture Filtering by Port

bash
# Capture only traffic on port 80/443 (HTTP attacks)
sudo tcpdump -i eth0 -w /tmp/dump-http.pcap port 80 or port 443

# Capture only UDP (volumetric/amplification)
sudo tcpdump -i eth0 -w /tmp/dump-udp.pcap udp

# Capture only SYN flood (TCP)
sudo tcpdump -i eth0 -w /tmp/dump-syn.pcap "tcp[tcpflags] & (tcp-syn) != 0"

Limit Dump Size

bash
# Maximum 100 MB, then stop
sudo tcpdump -i eth0 -w /tmp/dump.pcap -C 100

# Capture for 30 seconds
sudo timeout 30 tcpdump -i eth0 -w /tmp/dump.pcap
04

Real-Time Analysis

Count Packets by Source IP (Top Attacker)

bash
# Count source IPs in real-time
sudo tcpdump -i eth0 -nn -c 10000 2>/dev/null | \
  awk '{print $3}' | \
  cut -d. -f1-4 | \
  sort | uniq -c | sort -rn | head -20

View Active Connections by Count

bash
# Connections by TCP state
ss -s

# Top IPs by active connections
ss -tn | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -rn | head -20

# Alternative with netstat
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -rn | head -20

Real-Time Inbound Traffic

bash
# Bytes per second per interface
watch -n1 'cat /proc/net/dev | grep eth0'

# Or with ifstat (install if missing)
sudo apt install ifstat -y
ifstat -i eth0 1
05

Identify Attack Type

SYN Flood

bash
sudo tcpdump -i eth0 -nn "tcp[tcpflags] & (tcp-syn) != 0 and tcp[tcpflags] & (tcp-ack) == 0" | \
  awk '{print $3}' | cut -d. -f1-4 | sort | uniq -c | sort -rn | head -10

Symptoms: many SYN without ACK response, ss -s shows high SYN-RECV.

UDP Flood / Amplification (DNS, NTP, SSDP)

bash
sudo tcpdump -i eth0 -nn udp | \
  awk '{print $3, $5}' | sort | uniq -c | sort -rn | head -20

Source port 53 = DNS amplification, port 123 = NTP amplification.

HTTP Flood (Layer 7)

bash
# Analyze Nginx access log
sudo tail -f /var/log/nginx/access.log | awk '{print $1}' | sort | uniq -c | sort -rn | head -20

# Requests by user-agent
sudo awk '{print $12}' /var/log/nginx/access.log | sort | uniq -c | sort -rn | head -10

# Requests by URL
sudo awk '{print $7}' /var/log/nginx/access.log | sort | uniq -c | sort -rn | head -10

ICMP Flood (Ping Flood)

bash
sudo tcpdump -i eth0 -nn icmp | \
  awk '{print $3}' | cut -d. -f1-4 | sort | uniq -c | sort -rn | head -10
06

Measure Traffic Volume

bash
# PPS (packets per second) and BPS (bits per second) on eth0
sudo tcpdump -i eth0 -nn -q 2>&1 | pv -l -r > /dev/null

# Or with iftop (visual interface)
sudo apt install iftop -y
sudo iftop -i eth0 -n
07

Analyze Dump with Wireshark

After capturing the .pcap file, open it with Wireshark on your PC:

Useful filters in Wireshark:

# SYN only tcp.flags.syn==1 && tcp.flags.ack==0 # UDP only udp # Specific IP ip.src == 1.2.3.4 # Top talkers: Statistics > Conversations # Port distribution: Statistics > Endpoints
08

What to Send to Your Provider

When opening a ticket with DeluxHost or your upstream provider, include:

  • .pcap file (even just 30-60 seconds is enough)
  • Output of ss -s during the attack
  • Top 20 source IPs (output from uniq -c above)
  • Traffic type (UDP/TCP/ICMP, destination port)
  • Estimated PPS and Mbps during peak
09

After Dump: Quick Blocking

bash
# Block single IP
sudo iptables -A INPUT -s 1.2.3.4 -j DROP

# Block CIDR range
sudo iptables -A INPUT -s 1.2.3.0/24 -j DROP

# Save rules (Ubuntu)
sudo iptables-save > /etc/iptables/rules.v4

# Blocking with ipset (for many IPs)
sudo apt install ipset
sudo ipset create blacklist hash:ip
sudo ipset add blacklist 1.2.3.4
sudo iptables -A INPUT -m set --match-set blacklist src -j DROP

See also the guide Block IPs and DDoS for complete mitigation.

Related articles

Security

Base Server Hardening

Checklist of fundamental security operations to secure a new VPS before putting it into production

3 min read
Security

Fail2ban: Brute Force Protection

How to install and configure Fail2ban to protect your server from SSH and web brute force attacks

2 min read
Security

Change SSH Port

How to change SSH port to reduce automatic brute force attempts from bots and scanners on the internet

2 min read
Back to Docs

DeluxHost, founded in 2023, offers high-quality hosting solutions for various digital needs. We provide shared hosting, VPS, and dedicated servers with advanced security and global data centers.

© DeluxHost, All rights reserved. | VAT Number : IT17734661006
All Systems Operational

Products

VPSPlus VPSVDSPlus VDSDedicatedGame ServersDeals

About us

Contact usInfrastructureNetworkAnti-DDoS

Legal

Terms of ServicePrivacy PolicyFair use policySLA

Other

Service StatusSubmit a ticketControl panelDedicated panelLooking Glass