Last post on Identification of DDoS attack did not cover analysis of the attack, in cases wherein bandwidth graph’s and connection status aren’t conclusive. In such a scenario, the best means is to inspect the packets coming into the server, and this can be done by examining the packets using tools like tcpdump.
“tcpdump” is a popular sniffer command that does a good job. Using the switch “tcpdump -w”, one could write the output to a file, which could then be analyzed using tools like wireshark to get to the bottom of the attack. You could easily get the protocol in question, and also perform multiple filtration’s to the results. More on it could be read from here. (more…)