I would try `tcpdump` on the physical interface where the traffic for the guests comes in.
`tcpdump -envi eno1` (if eno1 is your interface) and see where most packets are sent to
the verbose output of tcpdump shows you the source and destination of a packet - if one VPS is being ddosed, its IP address will be the one that shows up most often in the destination column.
You can also record a pcap file with tcpdump and open it in wireshark - which has a nicer interface.
`tcpdump -s 0 -w ddos.pcap -nvi eno1`
after a while press ctrl+c and you'll have a file 'ddos.pcap', which you can download and analyze in wireshark
This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.