Attack Mode
Attack Mode is a per-server “under attack” state you switch on when a host is being hit hard. While it is active HostAtlas samples the server every 5 seconds instead of every 30, tails the access log live, and gives you inline countermeasures — IP bans, Cloudflare Under Attack Mode, cache purge — without leaving the dashboard.
You reach it from a server’s page, or directly at /servers/<uuid>/attack-mode.
What you see
Section titled “What you see”The Attack Mode dashboard has four tabs:
- Overview — big-number cards for requests/sec, unique client IPs, open connections and inbound bandwidth, plus a SYN-flood indicator and rolling 30-minute traffic charts.
- Connection Analysis — the top source IPs right now (with one-click Ban), the TCP connection-state distribution, an HTTP status-code breakdown and the top targeted URL paths.
- Fail2Ban — the jails HostAtlas can see on the server, current ban counts and recent ban/unban events. Only shown if Fail2Ban is installed.
- Countermeasures — the active bans list, the Cloudflare Under Attack Mode toggle and a Purge cache button for every Cloudflare-fronted domain on the server.
When Attack Mode is off, the page shows a large Activate Attack Mode button plus a summary of the last incident (if any).
What you can do
Section titled “What you can do”- Activate / Deactivate the mode manually from the server page or the Attack Mode dashboard.
- Ban an IP from the top-source-IPs table. You choose a duration (1 hour, 24 hours, 7 days or permanent) and an optional reason.
- Unban an IP from the active-bans list.
- Toggle Cloudflare Under Attack Mode for every domain on the server that is connected to a Cloudflare zone.
- Purge Cloudflare cache for the same domains — useful once you’ve blocked a malicious pattern and want stale HTML flushed.
How it works
Section titled “How it works”Activation can happen three ways:
- Manually — you click Activate Attack Mode.
- Automatically — alert rules for DDoS Detection (SYN_RECV threshold) or HTTP Flood (requests/sec threshold) fire and turn it on.
- Programmatically — an alert auto-action attached to a critical rule.
However it started, HostAtlas opens a critical incident of type Under Attack, records who or what triggered it, and tells the agent to switch to 5-second sampling and stream access-log tail data.
When you deactivate Attack Mode (or the trigger clears), the incident is resolved and a summary is saved: duration, peak requests/sec, peak connections, peak unique IPs, bandwidth totals, number of SYN-flood windows and bans issued. An AI post-attack analysis is then queued — it classifies the attack, calls out the worst offenders and suggests hardening (rate limits, Cloudflare rules, WAF changes).
Bans have an expiry timestamp; HostAtlas removes them automatically when they lapse.
Cloudflare integration
Section titled “Cloudflare integration”For Cloudflare actions to work, the domain must be connected through Integrations → Cloudflare (an API token with Zone:Edit). If a domain on the server is not on Cloudflare, it is skipped silently — you still get results for the ones that are.