DDoS Attack Source

• Sustained high-volume outbound traffic to a single destination IP/port from this host
• TCP SYN packets sent at rates of thousands per second without completing handshakes
• UDP packets sent in bursts to random destination ports at maximum line rate
• HTTP GET/POST floods to a specific URL with minimal variation in request pattern
• System CPU/network interface saturation with traffic not matching normal workload

Detect outbound flood with netstat/ss

# Find hosts with large numbers of connections to a single destination
ss -tn state established | awk '{print $5}' | cut -d: -f1 | \
  sort | uniq -c | sort -rn | head -10

tcpdump — SYN flood signature

# Count SYN packets per second leaving the interface
tcpdump -i eth0 -nn 'tcp[tcpflags] & tcp-syn != 0' | \
  awk '{print strftime("%H:%M:%S")}' | uniq -c

iptables — Detect and limit outbound SYN rate

iptables -A OUTPUT -p tcp --syn -m limit --limit 100/s --limit-burst 200 -j ACCEPT
iptables -A OUTPUT -p tcp --syn -j LOG --log-prefix "DDoS_SYN_OUT: "
iptables -A OUTPUT -p tcp --syn -j DROP

Netflow/sFlow analysis (if available)

# nfdump — show top-N talkers by packet count
nfdump -r /var/cache/nfdump/nfcapd.current -s srcip/packets -n 20

CloudWatch / Datadog alert

Monitor NetworkOut bytes — alert when 10-minute average exceeds 3× baseline.

1. Deploy upstream DDoS scrubbing — Use a cloud DDoS mitigation service (Cloudflare Magic Transit, AWS Shield Advanced, Akamai Prolexic) to absorb volumetric attacks before they reach your network edge.
2. Anycast routing — Distribute traffic across multiple Points of Presence so no single datacenter is overwhelmed.
3. Rate-limit egress on compromised hosts — If a host is identified as a DDoS source, immediately rate-limit its outbound traffic and quarantine it from the network.
4. Implement BGP blackhole routing (RTBH) — Signal upstream providers to drop traffic to a victim prefix at their edge, protecting your own infrastructure during an attack.
5. Keep systems patched to prevent botnet infection — Most DDoS sources are compromised end-user machines; aggressive patching and endpoint protection reduce your contribution to global botnet capacity.
6. Enable BCP38 ingress filtering — Prevent IP spoofing on your network by dropping packets with source addresses outside your allocated prefixes at the router level.
7. Monitor and auto-isolate anomalous hosts — Use SIEM correlation rules to auto-quarantine any internal host generating outbound traffic exceeding 10× its rolling average.

2016 — Mirai botnet DDoS against Dyn DNS: On October 21, 2016, the Mirai botnet — comprising approximately 600,000 compromised IoT devices — launched a 1.2 Tbps DDoS attack against Dyn DNS infrastructure. The attack disrupted major platforms including Twitter, Reddit, Netflix, and GitHub for hours by preventing DNS resolution of their domains.

2018 — GitHub 1.35 Tbps memcached amplification attack: On February 28, 2018, GitHub absorbed what was then the largest recorded DDoS attack at 1.35 Tbps. The attack leveraged memcached servers as amplifiers (amplification factor ~51,000×), with a small number of sources generating massive reflected traffic. Akamai's Prolexic scrubbing service mitigated the attack within 10 minutes.