How to tell if your under DDOS attack?

NeoCHI

Active member
I'm very inexperienced with serverside stuff but have noticed my dedicated server gets slammed on a daily basis:

http://xenforo.com/community/threads/help-optimizing-mysql-high-server-load.75790/
http://xenforo.com/community/threads/consistent-deadlock.77605

Here's my server specs:
  • Intel Xeon Quad Core, 2.5GHz (8 threads)
  • 250 Mbps Uplink
  • 4 GB High Performance RAM
  • 1,000 GB RAID-1 Drives
  • 15 TB Bandwidth
I usually have around 1k users online.

The only reason that I suspect I'm under attack (other then the slowdowns) is that I see the following:

Code:
193.107.16.2069 failed login attempts to account root (system) -- Large number of attempts from this IP: 193.107.16.2062014-07-11 13:19:232014-07-25 13:19:23
 95.6.72.1524 failed login attempts to account web (system) -- Large number of attempts from this IP: 95.6.72.1522014-07-11 11:26:432014-07-25 11:26:43
 180.106.162.774 failed login attempts to account appinvasion (system) -- Large number of attempts from this IP: 180.106.162.772014-07-11 06:13:012014-07-25 06:13:01
 112.162.67.2413 failed login attempts to account Administrator@appinvasion.com (ftp) -- Large number of attempts from this IP: 112.162.67.2412014-07-11 04:35:362014-07-25 04:35:36
 37.159.188.903 failed login attempts to account zb (smtp) -- Large number of attempts from this IP: 37.159.188.902014-07-11 03:01:362014-07-25 03:01:36
 188.85.36.463 failed login attempts to account utilisateur (smtp) -- Large number of attempts from this IP: 188.85.36.462014-07-11 02:21:302014-07-25 02:21:30
 118.97.191.1564 failed login attempts to account usuario (smtp) -- Large number of attempts from this IP: 118.97.191.1562014-07-11 02:12:192014-07-25 02:12:19
 180.250.80.2373 failed login attempts to account trisha (smtp) -- Large number of attempts from this IP: 180.250.80.2372014-07-11 02:02:332014-07-25 02:02:33
 212.174.252.1303 failed login attempts to account testen (smtp) -- Large number of attempts from this IP: 212.174.252.1302014-07-11 01:43:332014-07-25 01:43:33
 46.171.143.943 failed login attempts to account tech (smtp) -- Large number of attempts from this IP: 46.171.143.942014-07-11 01:24:052014-07-25 01:24:05
 162.255.182.2013 failed login attempts to account ftpuser (system) -- Large number of attempts from this IP: 162.255.182.2012014-07-11 01:05:482014-07-25 01:05:48
 111.74.238.993 failed login attempts to account root (system) -- Large number of attempts from this IP: 111.74.238.992014-07-11 00:56:432014-07-25 00:56:43
 196.28.31.2454 failed login attempts to account stephanie (smtp) -- Large number of attempts from this IP: 196.28.31.2452014-07-11 00:55:132014-07-25 00:55:13
 105.236.161.1114 failed login attempts to account stephanie (smtp) -- Large number of attempts from this IP: 105.236.161.1112014-07-11 00:54:562014-07-25 00:54:56
 117.21.226.2063 failed login attempts to account root (system) -- Large number of attempts from this IP: 117.21.226.2062014-07-11 00:50:512014-07-25 00:50:51
 180.166.96.384 failed login attempts to account sophie (smtp) -- Large number of attempts from this IP: 180.166.96.382014-07-11 00:35:362014-07-25 00:35:36
 89.216.21.1363 failed login attempts to account sophie (smtp) -- Large number of attempts from this IP: 89.216.21.1362014-07-11 00:35:012014-07-25 00:35:01
 117.21.225.583 failed login attempts to account root (system) -- Large number of attempts from this IP: 117.21.225.582014-07-11 00:27:292014-07-25 00:27:29
 117.21.226.693 failed login attempts to account root (system) -- Large number of attempts from this IP: 117.21.226.692014-07-10 23:46:482014-07-24 23:46:48
 202.109.143.183 failed login attempts to account root (system) -- Large number of attempts from this IP: 202.109.143.182014-07-10 23:44:582014-07-24 23:44:58
.
.
.

within login/brute history report in cphulk brute force protection in my whm.Am I under attack?

If so, what should I do (please give simple instructions, I'm not very server saavy)?
 
Looks like a brute attack from the above log. Between cPHulk and enabling CSF firewall, it should ban all large failed login attempts
 
If you would face a DDOS, your site would be down, it's as simple as that.

What you see in the logs is not a DDOS attack but automated scripts trying to login to your system. This is common since since ten years. Enable CSF as a first step as you have been told, learn to harden your system or talk to a server expert.
 
If you would face a DDOS, your site would be down, it's as simple as that.

What you see in the logs is not a DDOS attack but automated scripts trying to login to your system. This is common since since ten years. Enable CSF as a first step as you have been told, learn to harden your system or talk to a server expert.

My site doesn't go down but it does hit major slowdowns from unknown reason.

So how exactly do you tell if your under DDOS attack?

Also, how would I go about finding a server expert?
 
No...your site would not necessarily be down from a DDoS attack. Small scale ones will do absolutely nothing. Really good servers/connections can even handle some of the moderate ones. Normally takes a pretty good size attack to shut a site down completely. Slowdowns are a definite possibility though. What you are seeing in that log, as has been mentioned, is some form of brute force/dictionary attack, attempting to discover the root password for your system. Assuming you have taken the appropriate security precautions, they are nothing to worry about, as those IPs will simply be blocked. Happens probably billions of times a day to servers on the Internet.

The slow downs could be from anything. You should be able to view your bandwidth usage, to get an idea of whether or not you are experiencing a DDoS attack. Here's what one small scale one looked like a couple weeks ago on one of our servers:

ddos.webp

You can easily see the incoming vs. the outgoing bandwidth. Was getting 250-300mbps inbound traffic from thousands of computers/servers around the world. You would very likely see something similar. You can also use iftop and iptraf to see the inbound connections to your server. Those two tools are VERY helpful when it comes to identifying and mitigating DDoS attacks.

Aside from that, the slowdowns could be absolutely anything. Have you tried running top when the slowdowns occur? If not, I suggest you do that and post the results here.
 
Top Bottom