How to Tell If You're Being DDoSed (And What to Do Fast)

Your server goes unreachable. Your internet connection saturates. Traffic graphs spike to absurd levels. You're either the victim of a DDoS attack or something in your infrastructure just broke catastrophically. The first job is figuring out which — fast.

The Signs of a DDoS

A volumetric DDoS flood is usually obvious from traffic graphs. Inbound bandwidth climbs to multiples of normal, latency spikes across the board, and legitimate requests start timing out or being dropped. The traffic comes from many different source IPs — that's the 'distributed' part. A single source flooding you is just a DoS, which is much easier to block.

Application-layer DDoS (Layer 7) is more subtle. Traffic volumes might look almost normal, but CPU usage on your web server maxes out, response times balloon, and the server becomes effectively unavailable. The attacker is sending requests that are expensive to process — complex database queries, large file uploads, slow POST requests that keep connections open.

Immediate Response Steps

Contact your upstream provider immediately. ISPs and hosting companies have nullrouting capability — they can blackhole traffic destined for your IP at their network edge, stopping the flood before it reaches your infrastructure. Nullrouting takes your IP offline, but that's better than your entire server being unreachable anyway.

If you're using a CDN or DDoS protection service, their mitigation should kick in automatically. Check their dashboard. If you're not using one — this is the moment you realise you should have been. Cloudflare, Akamai Prolexic, and AWS Shield provide varying levels of DDoS protection from free to enterprise-grade.

Distinguishing DDoS from Other Failures

Wait — this matters. Not every sudden outage is a DDoS. A viral post sending legitimate traffic to your server looks identical to a DDoS in terms of traffic volume. Check traffic sources: are packets coming from diverse IPs across many ASNs (likely attack), or from geographically clustered sources following a pattern that makes sense (possible legitimate spike)?

Check your network logs for SYN floods, UDP floods, or HTTP flood patterns. Check whether your own infrastructure failed — a database crash or application bug causing connection queues to fill looks similar from the outside. Rule out internal failures before assuming external attack.

Long-Term Protection

Rate limiting, IP reputation filtering, CAPTCHAs on exposed endpoints, and anycast-based DDoS scrubbing services are the practical defences. For high-value targets — financial services, gaming platforms, political sites — budget for dedicated DDoS mitigation. The attacks will come. The question is whether your architecture absorbs them.