How to Tell If You're Being DDoSed (And What to Do Fast)
Your server goes unreachable. Your internet connection saturates. Traffic graphs spike to absurd levels. You're either the victim of a DDoS attack or something in your infrastructure just broke catastrophically. The first job is figuring out which — fast.
The Signs of a DDoS
A volumetric DDoS flood is usually obvious from traffic graphs. Inbound bandwidth climbs to multiples of normal, latency spikes across the board, and legitimate requests start timing out or being dropped. The traffic comes from many different source IPs — that's the 'distributed' part. A single source flooding you is just a DoS, which is much easier to block.
Application-layer DDoS (Layer 7) is more subtle. Traffic volumes might look almost normal, but CPU usage on your web server maxes out, response times balloon, and the server becomes effectively unavailable. The attacker is sending requests that are expensive to process — complex database queries, large file uploads, slow POST requests that keep connections open.
Immediate Response Steps
Contact your upstream provider immediately. ISPs and hosting companies have nullrouting capability — they can blackhole traffic destined for your IP at their network edge, stopping the flood before it reaches your infrastructure. Nullrouting takes your IP offline, but that's better than your entire server being unreachable anyway.
If you're using a CDN or DDoS protection service, their mitigation should kick in automatically. Check their dashboard. If you're not using one — this is the moment you realise you should have been. Cloudflare, Akamai Prolexic, and AWS Shield provide varying levels of DDoS protection from free to enterprise-grade.
Distinguishing DDoS from Other Failures
The distinction matters here. Not every sudden outage is a DDoS. A viral post sending legitimate traffic to your server looks identical to a DDoS in terms of traffic volume. Check traffic sources: are packets coming from diverse IPs across many ASNs (likely attack), or from geographically clustered sources following a pattern that makes sense (possible legitimate spike)?
Check your network logs for SYN floods, UDP floods, or HTTP flood patterns. Check whether your own infrastructure failed — a database crash or application bug causing connection queues to fill looks similar from the outside. Rule out internal failures before assuming external attack.
Long-Term Protection
Rate limiting, IP reputation filtering, CAPTCHAs on exposed endpoints, and anycast-based DDoS scrubbing services are the practical defences. For high-value targets — financial services, gaming platforms, political sites — budget for dedicated DDoS mitigation. The attacks will come. The question is whether your architecture absorbs them.
Scrubbing Centres: How DDoS Mitigation Actually Works
Commercial DDoS mitigation services use a technique called traffic scrubbing. During an attack, BGP announcements reroute traffic destined for your IP through the provider's scrubbing centres — large data centres with hardware specifically designed to analyse and filter attack traffic at line rate. Clean traffic is forwarded on to your infrastructure; attack traffic is dropped. The whole rerouting process can happen within minutes of an attack being detected.
Akamai Prolexic, Radware, and Imperva offer this service for large enterprises. Cloudflare and AWS Shield cover smaller customers at lower price points. The key metric is the provider's total scrubbing capacity — if an attack generates more traffic than the provider can process, you're back to being offline. Major providers advertise scrubbing capacity in the tens of terabits per second, which handles all but the most extreme attacks.
Check Your IP Security Status
See if your IP is already flagged in security databases or blacklists.
Run Security CheckAbout Kunal Khatri
Kunal is a network security specialist and systems administrator with 8+ years of experience auditing secure connections and building network infrastructure.
Related Articles
TLS 1.3: What Changed and Why You Should Care
TLS 1.3 dropped a decade of accumulated cruft from its predecessor and came out faster, more secure, and harder to attack. Understanding what changed matters for anyone running web infrastructure.
Zero-Day Vulnerabilities: What They Are and Why They're Dangerous
A zero-day is a vulnerability that nobody knows about yet — except the people exploiting it. The timeline from discovery to patch is where real damage happens.
SSL Certificates Explained Without the Jargon
SSL certificates enable HTTPS and underpin trust on the web. The certificate system is more complex — and more fragile — than the padlock icon suggests.
What Is a Botnet and How Your Device Could Be Part of One
Botnets are networks of compromised devices under attacker control. They power spam campaigns, DDoS attacks, and fraud — and your home device might be in one right now.
