Under Attack Mode

Defend your servers
in real-time.

When your server is under attack, every second counts. HostAtlas Under Attack Mode shifts the agent into high-frequency data collection, opens a live attack dashboard, and gives you one-click countermeasures to block malicious traffic. Trigger it manually or let alert rules activate it automatically when SYN floods or HTTP floods are detected.

Start free — no credit card See how it works

5s

Collection interval

4

Dashboard tabs

1-click

IP banning

AI

Post-attack analysis

Instant Activation

One click. Full battle mode.

Enable Under Attack Mode with a single click from the server detail page, or let HostAtlas activate it automatically when alert rules detect attack patterns. The moment it activates, the agent shifts from its normal 30-second collection interval to high-frequency 5-second updates, giving you near-real-time visibility into what is happening on your server.

toggle_on

Manual Activation

One-click toggle from the server detail page. Immediately switches the agent into high-frequency mode and opens the attack dashboard. Use this when you notice suspicious traffic or receive reports of degraded performance.

bolt

Auto-Trigger via Alert Rules

Create alert rules that automatically activate Under Attack Mode when specific thresholds are breached. SYN flood detection, HTTP flood patterns, bandwidth spikes, or connection count anomalies can all serve as triggers.

undo

Fully Reversible

Every countermeasure applied during Under Attack Mode is tracked and reversed when you deactivate it. IP bans are lifted, Cloudflare settings are restored, and the agent returns to normal collection intervals.

prod-web-01 203.0.113.42
Under Attack
warning

Attack Mode Active

High-frequency collection enabled (5s interval). Attack dashboard available. All countermeasures will be reversed on deactivation.

Connections

12,847

Bandwidth

847 MB/s

Blocked IPs

23

Activated 4 min ago · Auto-triggered by SYN flood alert

High-Frequency Collection

Every 5 seconds. Not every 30.

In normal operation, the HostAtlas agent collects metrics every 30 seconds. Under Attack Mode drops that to 5 seconds, giving you 6x the data resolution. This matters because attacks evolve rapidly — a 30-second blind spot can mean missing a shift in attack patterns or a brief window of opportunity to block a new source.

What gets collected at 5s intervals

lan

Active Connections

Total TCP connections, connections per state (ESTABLISHED, SYN_RECV, TIME_WAIT, FIN_WAIT), connections per remote IP. Used to identify connection floods and SYN attacks.

swap_horiz

Network Throughput

Bytes in/out per second, packets per second, error rates. High-resolution bandwidth data reveals DDoS volumetric patterns and helps correlate with connection data.

speed

System Metrics

CPU utilization, load average, RAM, swap usage, and disk I/O at 5-second granularity. Helps distinguish resource-exhaustion attacks from pure network floods.

dns

Top Connecting IPs

Top 50 remote IP addresses by connection count, refreshed every 5 seconds. Tracks connection state distribution per IP to distinguish legitimate traffic from attack sources.

Normal vs. Attack Mode comparison

Metric Normal Attack Mode
Collection interval 30 seconds 5 seconds
Data points per minute 2 12
Connection tracking Total only Per-IP, per-state
Top IPs tracked Top 50
Live dashboard close check
IP banning close check
Cloudflare integration close check
Post-attack AI analysis close check

Live Attack Dashboard

Four tabs. Complete situational awareness.

The attack dashboard gives you a real-time operational view of the ongoing attack. Four dedicated tabs organize the data so you can assess the situation, identify attackers, review live logs, and deploy countermeasures without switching between tools.

Under Attack Duration: 00:07:23
Last update: 2s ago

Active Connections

12,847

arrow_upward +340% vs. baseline

SYN_RECV

4,291

warning SYN flood detected

Bandwidth In

847 MB/s

arrow_upward +1,200% vs. baseline

Unique Source IPs

1,847

23 blocked so far

Top Attacking IPs

IP Address Connections SYN_RECV Status Action
185.220.101.34 2,341 1,892 Blocked
45.134.26.91 1,847 1,203 Blocked
91.219.236.174 987 412 Active
23.95.67.143 654 298 Active

CPU Utilization

87.3%

Load Average (1m)

24.7

8 cores · 3x overloaded

dashboard

Overview Tab

The command center. Key metrics at a glance: active connections, SYN_RECV count, bandwidth utilization, unique source IPs, and system resource usage. All numbers update every 5 seconds with trend indicators showing whether the attack is escalating or subsiding.

Real-time connection count with baseline comparison
Bandwidth in/out with trend indicators
CPU, RAM, load average at 5s resolution
Attack duration and severity assessment
hub

Connection Analysis Tab

Deep-dive into connection data. See every TCP state distribution, top connecting IPs ranked by connection count, geographic distribution of source IPs, and connection rate over time. This is where you identify the attack sources and decide which IPs to block.

TCP state breakdown (ESTABLISHED, SYN_RECV, TIME_WAIT)
Top 50 IPs with per-IP state distribution
Connection rate chart (new connections/second)
One-click IP blocking from the table
terminal

Live Logs Tab

Streaming log output from nginx access logs, syslog, dmesg, and kernel logs. Filters let you isolate specific IPs, status codes, or error patterns. Critical for identifying application-layer attacks like HTTP floods that appear as legitimate requests.

Streaming nginx/Apache access logs
Kernel and dmesg messages (SYN flood warnings)
Filter by IP, status code, or pattern
Auto-pause on scroll for log review
shield

Countermeasures Tab

Your response toolkit. Ban IPs via ufw or iptables, enable Cloudflare Under Attack Mode, and review all active countermeasures. Every action is logged with a timestamp and the user who initiated it. All countermeasures are reversible on deactivation.

IP ban via ufw/iptables with duration control
Cloudflare Under Attack Mode toggle
Active countermeasure log with timestamps
Bulk actions: block top N IPs by connection count
Block IP Address
185.220.101.34
ufw iptables
15 min 1 hour 6 hours 24 hours Permanent

Command to execute

ufw deny from 185.220.101.34 to any

IP Banning

Block attackers at the firewall level.

Ban malicious IPs directly from the attack dashboard. HostAtlas executes firewall rules on the server via the agent, using either ufw or iptables depending on what is available. Configure ban duration from 15 minutes to permanent — all bans are tracked and automatically reversed when Under Attack Mode is deactivated (unless you mark them as permanent).

block

Single IP or CIDR Range

Block individual IPs or entire subnets using CIDR notation. Useful when an attack originates from a single hosting provider or botnet subnet.

timer

Configurable Duration

Choose 15 minutes, 1 hour, 6 hours, 24 hours, or permanent. Temporary bans are automatically cleaned up. Permanent bans persist after attack mode is deactivated.

playlist_add

Bulk Actions

Block the top 10, 25, or 50 attacking IPs in a single action. HostAtlas ranks IPs by threat score (connection count, SYN_RECV ratio, request rate) and blocks them all at once.

Cloudflare Integration

Activate Cloudflare Under Attack Mode from HostAtlas.

If your domains are proxied through Cloudflare, HostAtlas can enable Cloudflare's Under Attack Mode with a single click. This adds a JavaScript challenge page to all visitors, filtering out automated traffic at the CDN edge before it reaches your origin server. Combined with server-level IP banning, you get defense in depth.

cloud

One-Click Activation

Toggle Cloudflare Under Attack Mode directly from the HostAtlas countermeasures tab. No need to log into the Cloudflare dashboard separately during an active attack.

security

Security Level Control

Set Cloudflare security level to "Under Attack" (JavaScript challenge) or "High" (CAPTCHA for suspicious visitors). Both are automatically restored to your previous setting on deactivation.

layers

Defense in Depth

Cloudflare filters traffic at the edge while HostAtlas blocks traffic at the server firewall. Application-layer attacks that bypass Cloudflare are caught by server-level countermeasures.

Cloudflare Countermeasures
shield

Under Attack Mode

JavaScript challenge for all visitors

Active
verified_user

Security Level

Changed from "Medium" to "Under Attack"

Modified
info

Previous security level "Medium" will be restored when Under Attack Mode is deactivated.

Auto-Trigger Rules

Detect attacks before you notice them.

Configure alert rules that automatically activate Under Attack Mode when specific conditions are met. HostAtlas detects SYN floods, HTTP floods, bandwidth spikes, and connection anomalies in real time. No human intervention needed — the agent starts defending the moment the attack begins.

sync_problem

SYN Flood Detection

Triggers when SYN_RECV connections exceed a configurable threshold (default: 500). SYN floods exhaust server connection tables and are one of the most common DDoS vectors.

condition:
tcp_syn_recv > 500
action:
enable_attack_mode
http

HTTP Flood Detection

Triggers when HTTP request rate exceeds baseline by a configurable multiplier (default: 10x). Detects application-layer floods that pass through network-level filters.

condition:
http_requests_rate > 10x baseline
action:
enable_attack_mode
swap_vert

Bandwidth Spike Detection

Triggers when inbound bandwidth exceeds a configurable threshold (e.g., 500 MB/s). Catches volumetric DDoS attacks designed to saturate your upstream link.

condition:
bandwidth_in > 500MB/s
action:
enable_attack_mode
info

Combining triggers

You can create multiple trigger rules per server. Each rule can have different thresholds. When any single rule triggers, Under Attack Mode activates. You can also use "sustained" conditions that require the threshold to be exceeded for a configurable duration (e.g., 30 seconds) to avoid false positives from brief traffic spikes.

Post-Attack Analysis

AI-powered attack debrief.

When you deactivate Under Attack Mode, HostAtlas generates a comprehensive post-attack analysis using AI. It identifies the attack type, severity, duration, peak metrics, top attacking IPs, and recommends permanent countermeasures. Share the report with your team or use it to harden your defenses.

Post-Attack Report auto_awesomeAI Generated

Attack Type

SYN Flood + HTTP Flood

Severity

Critical

Duration

47 minutes

Peak Connections

18,432

AI Summary

The server experienced a multi-vector attack combining SYN flooding (Layer 4) and HTTP GET flooding (Layer 7). The attack originated from 1,847 unique source IPs, primarily from AS14061 (DigitalOcean) and AS16276 (OVH), suggesting a botnet hosted on cloud infrastructure. Peak inbound bandwidth reached 847 MB/s at 14:23 UTC. The SYN flood saturated the connection table while HTTP floods targeted /api/search with randomized parameters.

Recommendations

arrow_forward Permanently block AS14061 and AS16276 at the firewall level
arrow_forward Enable SYN cookies (net.ipv4.tcp_syncookies=1)
arrow_forward Rate-limit /api/search to 60 requests/min per IP
arrow_forward Consider enabling Cloudflare WAF rules for API endpoints

What the AI analyzes

pattern

Attack Pattern Classification

Identifies whether the attack was a SYN flood, UDP flood, HTTP flood, slowloris, DNS amplification, or a multi-vector combination. Classification is based on connection state patterns, bandwidth characteristics, and request signatures.

public

Source IP Analysis

Groups attacking IPs by ASN and geographic location. Identifies whether the attack came from a botnet, cloud infrastructure, or residential proxies. Lists the top contributing networks.

timeline

Attack Timeline

Reconstructs the full attack timeline: initial spike, peak, countermeasure effectiveness, and subsidence. Shows exactly when each countermeasure was applied and how it impacted attack metrics.

recommend

Actionable Recommendations

Provides specific, actionable recommendations: kernel parameters to tune, firewall rules to add permanently, rate limits to implement, and Cloudflare WAF rules to enable. Every recommendation includes the exact command or configuration change.

assessment

Severity Scoring

Assigns a severity score based on peak metrics, duration, and impact on service availability. Critical attacks trigger automatic incident creation with the AI analysis attached.

Detection Engine

SYN flood detection. Down to the TCP state.

HostAtlas tracks TCP connection states at 5-second resolution during attack mode. A surge in SYN_RECV connections with no corresponding ESTABLISHED connections is the signature of a SYN flood. The agent detects this pattern automatically and can trigger countermeasures before the connection table is exhausted.

TCP State Monitoring

The agent reads /proc/net/tcp and /proc/net/tcp6 to build a complete picture of TCP connection states. Each 5-second sample captures the count of connections in every TCP state.

ESTABLISHED 3,241
SYN_RECV 4,291
TIME_WAIT 1,847
FIN_WAIT 523
CLOSE_WAIT 87

Connection Table Pressure

Monitors net.ipv4.tcp_max_syn_backlog and current SYN_RECV count. When SYN_RECV exceeds 80% of the backlog limit, HostAtlas raises a critical warning before the connection table is fully exhausted.

SYN Backlog Usage 85.8%
Connection Table 72.4%
Conntrack Table 41.2%

Bandwidth Monitoring

Real-time bandwidth monitoring at 5-second intervals. Distinguishes between inbound (attack traffic) and outbound (response traffic). Volumetric attacks show a massive inbound spike with minimal outbound correlation.

Bandwidth In 847 MB/s
Bandwidth Out 12 MB/s
Packets In 1.2M/s
Packets Out 45K/s
In/Out Ratio 70:1

Ratio >10:1 indicates volumetric attack

Clean Deactivation

Every countermeasure, fully reversible.

When you deactivate Under Attack Mode, HostAtlas reverses every temporary countermeasure that was applied. Temporary IP bans are lifted, Cloudflare security level is restored, and the agent returns to normal 30-second collection intervals. You get a complete audit trail of every action taken and reversed.

check_circle

Temporary IP bans removed

All IP bans with a duration (15 min to 24 hours) are automatically removed from ufw/iptables. Permanent bans are preserved.

check_circle

Cloudflare settings restored

Security level returns to the value it had before attack mode was activated. Under Attack Mode is disabled automatically.

check_circle

Collection interval restored

Agent returns to 30-second collection intervals, reducing resource overhead on the server back to normal levels.

check_circle

Complete audit trail

Every action taken during attack mode is logged: who activated it, which IPs were blocked, which countermeasures were applied, and when each was reversed.

# Deactivation log — prod-web-01
[14:31:07] Under Attack Mode deactivated by sascha@hostatlas.com
[14:31:07] Generating post-attack AI analysis...
[14:31:08] Removing temporary IP ban: 185.220.101.34 (ufw)
[14:31:08] Removing temporary IP ban: 45.134.26.91 (ufw)
[14:31:08] Removing temporary IP ban: 91.219.236.174 (ufw)
... 20 more IP bans removed
[14:31:09] Preserving permanent ban: 23.95.67.143
[14:31:09] Restoring Cloudflare security level: "Medium"
[14:31:09] Disabling Cloudflare Under Attack Mode
[14:31:10] Restoring collection interval: 30s
[14:31:10] All countermeasures reversed. Normal operation resumed.
[14:31:15] Post-attack report generated. Incident INC-3192 created.

Only on HostAtlas

No other monitoring platform has this.

Under Attack Mode is a HostAtlas exclusive. Other monitoring tools show you metrics. HostAtlas lets you fight back. From real-time attack dashboards to server-level IP banning to Cloudflare integration and AI-powered post-attack analysis — this is monitoring that defends, not just observes.

close Datadog

Shows metrics. No attack mode, no IP banning, no countermeasures. You see the attack happening but cannot respond from the dashboard.

close New Relic

Application performance monitoring. No server-level attack detection, no firewall control, no real-time attack dashboard.

close UptimeRobot

External uptime checks only. By the time it detects downtime, the attack has already taken your server offline. No defense capabilities.

close HetrixTools

Basic server monitoring. No attack mode, no connection analysis, no IP banning, no Cloudflare integration.

close Grafana + Prometheus

Great for dashboards. But you need to build attack detection, IP banning, and countermeasures yourself. HostAtlas ships it all out of the box.

check_circle HostAtlas

Full attack dashboard, 5s collection, IP banning, Cloudflare integration, auto-trigger rules, AI post-attack analysis. All included.

Get started

Your servers deserve a fighting chance.

Under Attack Mode is included on every HostAtlas plan. Install the agent, configure your auto-trigger rules, and know that when the next attack hits, you will be ready. Real-time dashboards, one-click IP banning, Cloudflare integration, and AI-powered post-attack analysis — all included.

Start free — no credit card View pricing plans

Quick install

$ curl -sSL https://install.hostatlas.app/install.sh | sudo bash -s -- --key=SERVER_KEY_