Knowledge Base

How to diagnose a DoS/DDoS attack and find websites under attack on a Plesk server

Question

How to diagnose a DoS/DDoS attack and find websites under attack on a Plesk server?

Answer

On Linux

For real-time attack

Connect to the server via SSH.
Determine the source IP addresses and numbers of the connections:

# ss -tan state established | grep ":80|:443" | awk '{print $4}'| cut -d':' -f1 | sort -n | uniq -c | sort -nr
Find the domains which are currently under attack:

# for log in /var/www/vhosts/system/*/logs/*access*log; do echo -n "$log "; tail -n10000 "$log" | grep -c 203.0.113.2; done | sort -n -k2
Check the number of connections in SYN_RECV state (possible syn-flood):

# ss -tan state syn-recv | wc -l
If there are several IP addresses in Plesk, determine the target IP address under attack:

# netstat -lpan | grep SYN_RECV | awk '{print $4}' | cut -d: -f1 | sort | uniq -c | sort -nk 1

It is possible that there are not many established connections to the web server, however, there might be a lot of requests that were successfully served by nginx and transferred to Apache and at this point, Apache is under attack. To track these requests do the following:

Navigate to /var/www/vhosts/system:

# cd /var/www/vhosts/system
Generate a file requests to fetch the number of requests that were made in the last hour using the command below.

Note: As an example, 24/Jan/2022:20 will be used. Here ":20" is 8 p.m.

# for i in *;do echo -n "$i "; grep '24/Jan/2022:20' $i/logs/access_ssl_log | awk '{print $1}' | wc -l;done > ~/requests
Check the generated file:

# cat ~/requests | sort -k 2 -r -n | head
example.com 24549
example.net 18545
test.com 3

For finished attack

Connect to the server via SSH.
Create an environment for investigation:

# mkdir /root/inv
# cd /var/www/vhosts/system
# for i in *; do mkdir /root/inv/$i; done
Populate the environment with log files for the last few days:

# for i in *; do find $i -mtime -3 -type f -exec cp -a {} /root/inv/$i ;; done
Unzip processed log-files:

# cd /root/inv
# for i in /root/inv/*/*; do [[ ${i:(-3)} == ".gz" ]] && gunzip $i ; done
Remove statistics and configuration files:

# rm /root/inv/*/*.conf /root/inv/*/*.png /root/inv/*/*webalizer* /root/inv/*/*webstat */*html
Get entries from the day of attack to form a report:

Note: As an example, 30/Oct/2017 will be used.

# for i in *; do [[ -d $i ]] && grep -rh "[30/Oct/2017" ./$i > $i.accessed; done
Sort the entries by size:

# ls -laS | less

Note: A size of a log file will be displayed. The higher the size of a log-file, the higher is the chance of it being targeted.
Find the most used IP addresses:

# cut -f 1 -d ' ' *.accessed | sort -n | uniq -c | sort -nr | less

Note: This command displays how many attempts to access a website each IP address performed in a time-frame specified on step 6.
Find the domains which were targeted by these IP addresses:

# grep -rc 203.0.113.2 /root/inv/*/* | sort -n -k2 -t: