Security

DDoS Protection: How Attacks Work and How to Defend Your Server

May 13, 2026

Security May 13, 2026

The Growing Threat of DDoS Attacks

A Distributed Denial of Service (DDoS) attack is one of the most disruptive threats a server can face. Unlike other cyberattacks that try to steal data or inject malicious code, a DDoS attack has a single, brutal objective: overwhelm your server with so much traffic that it cannot serve legitimate users. Your website goes offline, your business loses revenue, and your reputation takes a hit.

DDoS attacks have grown both in frequency and sophistication. What used to require botnets of thousands of compromised machines can now be launched by a single person using cheap "DDoS-as-a-service" tools. Attacks regularly exceed 1 Tbps (terabit per second), and even small attacks of 1-10 Gbps can take down an unprotected server in seconds.

This guide covers the different types of DDoS attacks, defense strategies at every layer of the network stack, and practical configurations you can implement today to protect your server.

What you will learn: DDoS attack types (volumetric, protocol, application-layer), kernel-level defenses, nftables/iptables rate limiting, fail2ban rules, Nginx rate limiting, Cloudflare protection, monitoring during an attack, and building an incident response plan.

Understanding DDoS Attack Types

DDoS attacks are classified into three categories based on which layer of the network stack they target. Understanding this classification is essential for choosing the right defense strategy.

Layer 3/4: Volumetric and Protocol Attacks

These attacks flood your server's network connection with raw traffic, attempting to saturate your bandwidth or exhaust connection state tables.

SYN Flood Protocol

Sends thousands of TCP SYN packets without completing the three-way handshake. Each half-open connection consumes server memory until the connection table is exhausted and no new connections can be accepted.

UDP Flood Volumetric

Sends massive volumes of UDP packets to random ports. The server wastes resources checking for listening applications and sending ICMP "destination unreachable" responses for each packet.

DNS Amplification Volumetric

Sends small DNS queries to open resolvers with the victim's spoofed IP address. The resolvers send large responses (50-70x amplification) to the victim, flooding their bandwidth.

NTP Amplification Volumetric

Exploits NTP's monlist command for 200x amplification. A 1 Gbps attack source becomes a 200 Gbps attack at the victim. This is one of the most powerful amplification vectors.

Layer 7: Application-Layer Attacks

These are the most dangerous attacks because they look like legitimate traffic. Instead of flooding bandwidth, they target resource-intensive endpoints that consume CPU, memory, or database queries.

Attack Type	Method	Why It is Dangerous
HTTP Flood	Thousands of seemingly valid HTTP requests	Hard to distinguish from real users
Slowloris	Opens connections, sends headers slowly, never completes	Ties up all available connection slots
RUDY (R-U-Dead-Yet)	Sends POST body data one byte at a time	Keeps connections open for minutes
WordPress xmlrpc.php	Pingback requests as amplification vector	Each request triggers expensive DB queries
Login brute force	Thousands of login attempts per second	Each attempt requires password hashing (CPU-intensive)

Defense Layer 1: Kernel-Level Mitigations

The first line of defense is the Linux kernel itself. These sysctl parameters help your server handle connection floods without crashing:

# /etc/sysctl.d/99-ddos-protection.conf # Enable SYN cookies — prevents SYN flood from exhausting connection table net.ipv4.tcp_syncookies = 1 # Reduce SYN-ACK retries (default 5, each retry doubles timeout) net.ipv4.tcp_synack_retries = 2 # Increase the SYN backlog (half-open connections queue) net.ipv4.tcp_max_syn_backlog = 65536 # Increase connection tracking table (for nftables/iptables) net.netfilter.nf_conntrack_max = 1000000 # Decrease conntrack timeout for established connections net.netfilter.nf_conntrack_tcp_timeout_established = 600 # Enable reverse path filtering (blocks spoofed IPs) net.ipv4.conf.all.rp_filter = 1 # Ignore ICMP broadcast requests (prevent Smurf attacks) net.ipv4.icmp_echo_ignore_broadcasts = 1 # Increase file descriptor limit fs.file-max = 2097152

# Apply immediately sysctl -p /etc/sysctl.d/99-ddos-protection.conf

What SYN cookies do: Instead of allocating memory for each SYN packet, the kernel encodes the connection information into the SYN-ACK sequence number. Only when the client completes the three-way handshake (proving it is a real client, not a spoofed IP) does the kernel allocate resources. This makes SYN floods nearly harmless.

Defense Layer 2: Firewall Rate Limiting (nftables)

nftables (the modern replacement for iptables) can rate-limit connections and drop packets from abusive IPs before they reach your application:

#!/usr/sbin/nft -f # /etc/nftables.conf — DDoS protection rules table inet ddos_protection { set blackhole { type ipv4_addr flags timeout timeout 1h } chain input { type filter hook input priority -100; policy accept; # Drop packets from blackholed IPs ip saddr @blackhole drop # Rate limit new TCP connections (100/sec per IP) tcp flags syn limit rate over 100/second burst 150 packets \ add @blackhole { ip saddr timeout 10m } drop # Rate limit ICMP (prevent ping flood) icmp type echo-request limit rate 10/second burst 20 packets accept icmp type echo-request drop # Drop invalid packets ct state invalid drop # Drop malformed TCP flags tcp flags & (fin|syn|rst|psh|ack|urg) == 0 drop tcp flags & (fin|syn) == (fin|syn) drop tcp flags & (syn|rst) == (syn|rst) drop } }

Using iptables (Legacy)

If your server still uses iptables, here are equivalent rules:

# Limit new connections per IP iptables -A INPUT -p tcp --syn -m connlimit --connlimit-above 100 -j DROP # Rate limit new TCP connections iptables -A INPUT -p tcp --syn -m limit --limit 100/s --limit-burst 150 -j ACCEPT iptables -A INPUT -p tcp --syn -j DROP # Drop invalid packets iptables -A INPUT -m state --state INVALID -j DROP # Drop NULL packets iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

Defense Layer 3: Fail2ban Auto-Blocking

Fail2ban monitors log files for abusive patterns and automatically bans offending IPs. It is one of the most effective tools against application-layer DDoS because it can detect behavior patterns that simple rate limiting misses.

HTTP Flood Protection

# /etc/fail2ban/filter.d/nginx-http-flood.conf [Definition] failregex = ^ -.*"(GET|POST|HEAD).*HTTP.*"$ ignoreregex =

# /etc/fail2ban/jail.d/nginx-http-flood.conf [nginx-http-flood] enabled = true filter = nginx-http-flood logpath = /var/log/nginx/access.log maxretry = 300 findtime = 60 bantime = 3600 action = nftables-multiport[name=http-flood, port="80,443"]

This configuration bans any IP that makes more than 300 requests in 60 seconds for one hour. Adjust the thresholds based on your normal traffic patterns.

WordPress xmlrpc Protection

# /etc/fail2ban/filter.d/nginx-xmlrpc.conf [Definition] failregex = ^ -.*"POST /xmlrpc\.php.*" ignoreregex =

Defense Layer 4: Nginx Rate Limiting

Nginx's built-in rate limiting module provides application-layer protection directly at the web server level. It is effective against HTTP floods and brute force attacks:

# /etc/nginx/conf.d/rate-limiting.conf # Define rate limit zones limit_req_zone $binary_remote_addr zone=general:10m rate=30r/s; limit_req_zone $binary_remote_addr zone=login:10m rate=5r/m; limit_req_zone $binary_remote_addr zone=api:10m rate=60r/s; # Define connection limit limit_conn_zone $binary_remote_addr zone=connlimit:10m;

Apply the rate limits in your server blocks:

server { # General rate limit for all requests limit_req zone=general burst=50 nodelay; limit_conn connlimit 50; # Strict rate limit for login pages location /wp-login.php { limit_req zone=login burst=3 nodelay; # ... proxy/fastcgi config } # API rate limiting location /api/ { limit_req zone=api burst=100 nodelay; # ... proxy config } # Block xmlrpc entirely location = /xmlrpc.php { deny all; return 444; } # Custom error page for rate-limited requests limit_req_status 429; error_page 429 /429.html; }

Tuning tip: The burst parameter allows temporary spikes above the rate limit. Without nodelay, burst requests are queued and served gradually. With nodelay, burst requests are served immediately but excess requests above the burst are dropped. For DDoS protection, nodelay is usually what you want.

Defense Layer 5: Cloudflare Protection

For serious DDoS protection, a CDN/proxy like Cloudflare sits in front of your server and absorbs attack traffic before it reaches your infrastructure. Cloudflare's network can handle multi-terabit attacks that would overwhelm any single server.

Essential Cloudflare Settings

Setting	Recommended Value	Purpose
SSL/TLS Mode	Full (Strict)	Encrypts traffic between Cloudflare and your server
Under Attack Mode	Off (enable during attack)	Shows JavaScript challenge to all visitors
Bot Fight Mode	On	Challenges known bot signatures
Browser Integrity Check	On	Blocks requests with suspicious headers
Challenge Passage	30 minutes	How long a solved challenge remains valid
Security Level	Medium or High	Controls challenge threshold for suspicious IPs

Restricting Direct Server Access

When using Cloudflare, your server should only accept connections from Cloudflare's IP ranges. This prevents attackers from bypassing Cloudflare by connecting directly to your origin IP:

# Only allow Cloudflare IPs to reach your web server nft add rule inet filter input tcp dport { 80, 443 } \ ip saddr != { 173.245.48.0/20, 103.21.244.0/22, 103.22.200.0/22, \ 103.31.4.0/22, 141.101.64.0/18, 108.162.192.0/18, \ 190.93.240.0/20, 188.114.96.0/20, 197.234.240.0/22, \ 198.41.128.0/17, 162.158.0.0/15, 104.16.0.0/13, \ 104.24.0.0/14, 172.64.0.0/13, 131.0.72.0/22 } drop

Panelica tip: Panelica includes built-in DDoS defense: ModSecurity WAF with OWASP CRS rules, Fail2ban auto-blocking, nftables firewall rules, and Cloudflare deep integration — all configured from the panel without touching the command line.

Defense Layer 6: ModSecurity WAF

A Web Application Firewall (WAF) inspects HTTP request content and blocks malicious patterns. ModSecurity with the OWASP Core Rule Set (CRS) provides a comprehensive layer of defense against application-layer attacks:

# ModSecurity DDoS protection rules SecRule IP:REQUEST_RATE "@gt 100" \ "id:900100, phase:1, deny, status:429, \ msg:'Request rate too high'" SecRule REQUEST_URI "@streq /xmlrpc.php" \ "id:900200, phase:1, deny, status:403, \ msg:'xmlrpc.php access blocked'" # Block known DDoS tools by User-Agent SecRule REQUEST_HEADERS:User-Agent "@rx (havij|sqlmap|nikto|w3af|nessus)" \ "id:900300, phase:1, deny, status:403, \ msg:'Known attack tool blocked'"

Monitoring During an Attack

When a DDoS attack hits, you need real-time visibility into what is happening. Here are the essential commands for monitoring an active attack:

# Top IPs by connection count ss -tn state established | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -rn | head -20 # Current connection states ss -s # Real-time request rate from access log tail -f /var/log/nginx/access.log | pv -l -i5 -r > /dev/null # Top requesting IPs from access log awk '{print $1}' /var/log/nginx/access.log | sort | uniq -c | sort -rn | head -20 # Network bandwidth per interface iftop -n -i eth0 # Check SYN flood (half-open connections) ss -tn state syn-recv | wc -l # Check nftables counter stats nft list ruleset -a | grep -A1 "counter"

Emergency Response: Under Active Attack

When you detect an active DDoS attack, follow this response procedure:

Identify the attack type — Check bandwidth (volumetric?), connection count (SYN flood?), or request rate (application-layer?). This determines your response.

Enable Cloudflare Under Attack Mode — If you use Cloudflare, enable "I'm Under Attack" mode immediately. This adds a JavaScript challenge that blocks most bot traffic.

Block top offending IPs — Identify the top attacking IPs and block them at the firewall level:

# Block a single IP nft add element inet ddos_protection blackhole { 203.0.113.50 timeout 24h } # Block an entire subnet nft add rule inet filter input ip saddr 203.0.113.0/24 drop # Block a country (using GeoIP) nft add rule inet filter input ip saddr @geoip_cn drop

Tighten rate limits — Temporarily lower your Nginx and firewall rate limits. You may impact some legitimate users, but keeping the server alive is the priority.

Contact your hosting provider — If the attack saturates your bandwidth, only your hosting provider or upstream network can help by null-routing the attack traffic or enabling network-level scrubbing.

Building a DDoS Defense Strategy

Effective DDoS defense is layered. No single tool stops all attack types. Here is the recommended defense stack:

Cloudflare CDN
Absorbs volumetric

→

Kernel tuning
SYN cookies, conntrack

→

nftables
Rate limiting

→

Fail2ban
Pattern detection

→

Nginx limits
Application layer

→

ModSecurity WAF
Request inspection

DDoS Prevention Checklist

SYN cookies enabled in kernel
Connection tracking limits tuned
Reverse path filtering enabled
nftables/iptables rate limiting configured
Fail2ban monitoring access logs
Nginx rate limiting on all endpoints
Login/admin pages have strict rate limits
WordPress xmlrpc.php blocked
Cloudflare proxying all traffic
Origin server only accepts Cloudflare IPs
ModSecurity WAF with OWASP CRS enabled
Monitoring and alerting configured
Incident response plan documented and tested

Wrapping Up

DDoS protection is not a single configuration change — it is a layered defense strategy that covers every level of the network stack. The kernel handles SYN floods with SYN cookies, the firewall rate-limits connections, fail2ban detects behavioral patterns, Nginx limits application-layer requests, ModSecurity inspects request content, and Cloudflare absorbs volumetric attacks before they reach your server.

The most important takeaway is to prepare before an attack happens. Configure your defenses, test them, document your response procedure, and know who to contact (hosting provider, Cloudflare support) when an attack exceeds what your server can handle alone. A prepared server can survive most DDoS attacks with minimal downtime; an unprepared one will go down in seconds.