Skip to main content

DDoS symptoms vs normal spikes

## DDoS symptoms vs normal traffic spikes

Traffic surges are common when your site becomes popular or runs a promotion, but sometimes a spike can be caused by a **Distributed Denial‑of‑Service (DDoS)** attack.  Distinguishing between the two helps you respond appropriately.

### Signs of a normal traffic spike

- **Predictable timing** – Spikes often correspond to marketing campaigns, product launches or events (e.g., a sale starting at noon).  Logs show increased traffic from expected geographies and referrers.
- **Gradual ramp‑up** – Legitimate traffic usually ramps up over minutes or hours as users share links.  Requests per second (RPS) and packets per second (PPS) rise smoothly.
- **Successful handshakes** – Web server logs show normal 200/302 responses and session cookies being set.  Users are able to load pages, albeit more slowly.

### Signs of a DDoS attack

- **Sudden surge of packets** – A DDoS often starts abruptly with millions of packets per second or connections per second, overwhelming bandwidth or connection tables.
- **Distributed sources** – Traffic comes from thousands of IP addresses across many networks, often from countries with no typical user base.  IPs may change rapidly and have no legitimate referrer.
- **Malformed or repetitive requests** – Attacks may use SYN floods (half‑open TCP connections), UDP floods (random ports) or HTTP floods (repetitive GET/POST requests).  Logs show identical requests with no session or cookie negotiation.
- **Resource exhaustion** – CPU, memory or network usage on your container spikes even though application logs show little legitimate activity.  You may see `SYN_RECV` states in `netstat` or many `connection reset` messages.

### What to do

1. **Check monitoring and logs** – Use graphs from IllusionCloud’s dashboard or tools like Netdata to see whether the increase is in bandwidth, packets or connections.  Review web server logs (`/var/log/nginx/access.log` or `/var/log/apache2/access.log`) for patterns in IP addresses and user agents.
2. **Confirm legitimate events** – Did you launch a campaign, send a newsletter or go viral on social media?  If yes, the spike may be normal.  Optimise caching and enable a content‑delivery network (CDN) to absorb the load.
3. **Mitigate potential DDoS** – If the traffic appears malicious:
   - Enable or verify **DDoS protection** in your control panel (IllusionCloud includes basic mitigation by default).
   - Block offending IP ranges or protocols via firewall rules (e.g., drop UDP packets if you serve only TCP).
   - Rate‑limit connections with web server settings (e.g., Nginx `limit_req_zone`).
   - Offload static content to a CDN to reduce load on your VPS.
4. **Contact support** – If your container is unresponsive or you cannot mitigate the attack, open a support ticket.  Provide logs, top IP addresses and timestamps.  IllusionCloud can enable advanced filtering or temporarily null‑route traffic to keep the network stable.

### Summary

Normal traffic spikes are tied to real events and show typical user behavior.  DDoS attacks start abruptly, originate from many IPs and often use malformed or repetitive requests to exhaust resources.  Monitoring traffic patterns and enabling anti‑DDoS protections help you distinguish between the two and respond effectively.

Back to top