How to Check for DDoS Attacks or Excessive Traffic from Specific IPs and Take Appropriate Actions Print

  • 0


Distributed Denial of Service (DDoS) attacks can cripple your web services, affecting your business operations. Identifying an ongoing attack or excessive traffic from specific IPs is critical for taking timely action. This article provides a comprehensive guide to identify and mitigate these issues, leveraging the robust capabilities of Linux-based servers and various monitoring tools.


  • Basic understanding of Linux command-line interface
  • Access to server logs
  • Familiarity with web server software (Apache, Nginx)
  • Optional: Knowledge of Control Panel software (WHM/cPanel, Plesk, Direct Admin)

Step 1: Identifying Excessive Traffic

Web Server Logs

Check your web server logs to identify frequent access from specific IPs:

For Apache:

awk '{print $1}' /var/log/apache2/access.log | sort | uniq -c | sort -nr | head -n 500

For Nginx:
awk '{print $1}' /var/log/nginx/access.log | sort | uniq -c | sort -nr | head -n 500

Network Connections

Use netstat to see the IPs making the most connections:

netstat -n | grep :80 | awk '{ print $5 }' | cut -d: -f1 | sort | uniq -c | sort -n | tail -n 500

Step 2: Analyzing the Data

Analyze the top 500 IP addresses to detect any irregular patterns. A high number of requests from a single IP or range within a short period is usually indicative of an attack or misuse.

Step 3: Further Investigation with TCPdump

Capture network packets to analyze the types of requests:

tcpdump -i eth0 -n -c 500

Step 4: Cross-Referencing with CSF Logs

If you're using ConfigServer Security & Firewall (CSF), check the logs for frequent blocks:

cat /var/log/lfd.log | grep "LF_" | awk '{print $4}' | sort | uniq -c | sort -nr | head -n 500

Step 5: Taking Action

IP Blocking

Use iptables to block suspicious IPs:

iptables -A INPUT -s [IP_ADDRESS] -j DROP

Rate Limiting

Implement rate limiting in your web server settings to restrict the number of requests from an IP.

DDoS Mitigation Services

Consider using DDoS mitigation services like Cloudflare for real-time protection.

Step 6: Monitoring and Fine-tuning

Regularly check logs and adjust firewall rules to stay ahead of evolving attack methods.

Step 7: Vendor and Support Liaison

If the issue persists, or for complex scenarios, don’t hesitate to engage with your hosting provider for additional protection layers and support.


Understanding and mitigating DDoS attacks or excessive traffic is crucial for maintaining a robust web service. Given the right tools and methodologies, server administrators can effectively thwart these disruptive activities, thereby safeguarding business operations.

Feel free to share this article with your team, clients, or even in your knowledge base at For complex issues, remember that support is available at

Was this answer helpful?
« Back