Terug naar DocumentatieWhen your server is under attack, capturing a traffic dump lets you understand the attack type, identify patterns, and share evidence with your provider to activate mitigation.
Required Tools
# Ubuntu/Debian
sudo apt install tcpdump ngrep net-tools
# CentOS/RHEL
sudo yum install tcpdump ngrep net-tools
Quick Capture with tcpdump
Basic Dump (All Packets on Main Interface)
# Identify your network interface
ip a
# usually eth0, ens3, ens18
# Capture 60 seconds on eth0 and save to file
sudo tcpdump -i eth0 -w /tmp/attack-$(date +%Y%m%d-%H%M%S).pcap -G 60 -W 1
Capture Filtering by Port
# Capture only traffic on port 80/443 (HTTP attacks)
sudo tcpdump -i eth0 -w /tmp/dump-http.pcap port 80 or port 443
# Capture only UDP (volumetric/amplification)
sudo tcpdump -i eth0 -w /tmp/dump-udp.pcap udp
# Capture only SYN flood (TCP)
sudo tcpdump -i eth0 -w /tmp/dump-syn.pcap "tcp[tcpflags] & (tcp-syn) != 0"
Limit Dump Size
# Maximum 100 MB, then stop
sudo tcpdump -i eth0 -w /tmp/dump.pcap -C 100
# Capture for 30 seconds
sudo timeout 30 tcpdump -i eth0 -w /tmp/dump.pcap
Real-Time Analysis
Count Packets by Source IP (Top Attacker)
# Count source IPs in real-time
sudo tcpdump -i eth0 -nn -c 10000 2>/dev/null | \
awk '{print $3}' | \
cut -d. -f1-4 | \
sort | uniq -c | sort -rn | head -20
View Active Connections by Count
# Connections by TCP state
ss -s
# Top IPs by active connections
ss -tn | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -rn | head -20
# Alternative with netstat
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -rn | head -20
Real-Time Inbound Traffic
# Bytes per second per interface
watch -n1 'cat /proc/net/dev | grep eth0'
# Or with ifstat (install if missing)
sudo apt install ifstat -y
ifstat -i eth0 1
Identify Attack Type
SYN Flood
sudo tcpdump -i eth0 -nn "tcp[tcpflags] & (tcp-syn) != 0 and tcp[tcpflags] & (tcp-ack) == 0" | \
awk '{print $3}' | cut -d. -f1-4 | sort | uniq -c | sort -rn | head -10
Symptoms: many SYN without ACK response, ss -s shows high SYN-RECV.
UDP Flood / Amplification (DNS, NTP, SSDP)
sudo tcpdump -i eth0 -nn udp | \
awk '{print $3, $5}' | sort | uniq -c | sort -rn | head -20
Source port 53 = DNS amplification, port 123 = NTP amplification.
HTTP Flood (Layer 7)
# Analyze Nginx access log
sudo tail -f /var/log/nginx/access.log | awk '{print $1}' | sort | uniq -c | sort -rn | head -20
# Requests by user-agent
sudo awk '{print $12}' /var/log/nginx/access.log | sort | uniq -c | sort -rn | head -10
# Requests by URL
sudo awk '{print $7}' /var/log/nginx/access.log | sort | uniq -c | sort -rn | head -10
ICMP Flood (Ping Flood)
sudo tcpdump -i eth0 -nn icmp | \
awk '{print $3}' | cut -d. -f1-4 | sort | uniq -c | sort -rn | head -10
Measure Traffic Volume
# PPS (packets per second) and BPS (bits per second) on eth0
sudo tcpdump -i eth0 -nn -q 2>&1 | pv -l -r > /dev/null
# Or with iftop (visual interface)
sudo apt install iftop -y
sudo iftop -i eth0 -n
Analyze Dump with Wireshark
After capturing the .pcap file, open it with Wireshark on your PC:
Useful filters in Wireshark:
# SYN only
tcp.flags.syn==1 && tcp.flags.ack==0
# UDP only
udp
# Specific IP
ip.src == 1.2.3.4
# Top talkers: Statistics > Conversations
# Port distribution: Statistics > Endpoints
What to Send to Your Provider
When opening a ticket with DeluxHost or your upstream provider, include:
- .pcap file (even just 30-60 seconds is enough)
- Output of ss -s during the attack
- Top 20 source IPs (output from uniq -c above)
- Traffic type (UDP/TCP/ICMP, destination port)
- Estimated PPS and Mbps during peak
After Dump: Quick Blocking
# Block single IP
sudo iptables -A INPUT -s 1.2.3.4 -j DROP
# Block CIDR range
sudo iptables -A INPUT -s 1.2.3.0/24 -j DROP
# Save rules (Ubuntu)
sudo iptables-save > /etc/iptables/rules.v4
# Blocking with ipset (for many IPs)
sudo apt install ipset
sudo ipset create blacklist hash:ip
sudo ipset add blacklist 1.2.3.4
sudo iptables -A INPUT -m set --match-set blacklist src -j DROP
See also the guide Block IPs and DDoS for complete mitigation.
Gerelateerde artikelen
Base Server Hardening
Checklist of fundamental security operations to secure a new VPS before putting it into production
Fail2ban: Brute Force Protection
How to install and configure Fail2ban to protect your server from SSH and web brute force attacks
Change SSH Port
How to change SSH port to reduce automatic brute force attempts from bots and scanners on the internet
DeluxHost, opgericht in 2023, biedt hoogwaardige hostingoplossingen voor diverse digitale behoeften. Wij bieden gedeelde hosting, VPS en dedicated servers met geavanceerde beveiliging en wereldwijde datacenters.
