Knowledge Base

How to diagnose a DoS/DDoS attack and find websites under attack on a Plesk server

 
ddosddos attacksdomainsiplinux

Question

How to diagnose a DoS/DDoS attack and find websites under attack on a Plesk server?

Answer

 

On Linux

 

For real-time attack

 

  1. Connect to the server via SSH.

  2. Determine the source IP addresses and numbers of the connections:

    # ss -tan state established | grep “:80|:443” | awk ‘{print $4}’| cut -d’:’ -f1 | sort -n | uniq -c | sort -nr

  3. Find the domains which are currently under attack:

    # for log in /var/www/vhosts/system/*/logs/*access*log; do echo -n “$log “; tail -n10000 “$log” | grep -c 203.0.113.2; done | sort -n -k2

  4. Check number of connections in SYN_RECV state (possible syn-flood):

    # ss -tan state syn-recv | wc -l

  5. If there are several IP addresses in Plesk, determine the target IP address under attack:

    # netstat -lpan | grep SYN_RECV | awk ‘{print $4}’ | cut -d: -f1 | sort | uniq -c | sort -nk 1

 

For finished attack

 

  1. Connect to the server via SSH.

  2. Create an environment for investigation:

    # mkdir /root/inv
    # cd /var/www/vhosts/system
    # for i in *; do mkdir /root/inv/$i; done

  3. Populate the environment with log files for the last few days:

    # for i in *; do find $i -mtime -3 -type f -exec cp -a {} /root/inv/$i ;; done

  4. Unzip processed log-files:

    # cd /root/inv
    # for i in /root/inv/*/*; do [[ ${i:(-3)} == “.gz” ]] && gunzip $i ; done

  5. Remove statistics and configuration files:

    # rm /root/inv/*/*.conf /root/inv/*/*.png /root/inv/*/*webalizer* /root/inv/*/*webstat */*html

  6. Get entries from the day of attack to form a report:

    Note: As an example, 30/Oct/2017 will be used.

    # for i in *; do [[ -d $i ]] && grep -rh “[30/Oct/2017” ./$i > $i.accessed; done

  7. Sort the entries by size:

    # ls -laS | less

    Note: A size of a log file will be displayed. The higher the size of a log-file, the higher is a chance of it being targeted.

  8. Find the most used IP addresses:

    # cut -f 1 -d ‘ ‘ *.accessed | sort -n | uniq -c | sort -nr | less

    Note: This command displays how many attempts to access a website each IP address performed in a time-frame specified on step 6.

  9. Find the domains which were targeted by these IP addresses:

    # grep -rc 203.0.113.2 /root/inv/*/* | sort -n -k2 -t:

 

 

On Windows Server

 

For real-time attack

 

  1. Connect to the server via RDP.

  2. Start a command prompt and run the following commands to check the count of connections on ports 80 and 443:

    C:> netstat -ano | find /c “80”

    C:> netstat -ano | find /c “443”

    Note: If there is a large number of connections (hundreds or thousands) to the same port, the server is likely under a DDoS attack

 

Additional Information

Malicious activity of a source IP address can be checked on AbuseIPDB.

To secure websites against DDoS attacks, see this KB article.

Read the full article
Related Posts
Knowledge Base

Hosting Wiki

Industry
Partners

industry-partner_ALIBABA
industry-partner_GOOGLEPARTNER
industry-partner_MICROSOFT
industry-partner_REDHAT-r2
industry-partner_ALIBABA
industry-partner_AUTOMATTIC
industry-partner_AWS
industry-partner_DIGITALOCEAN
industry-partner_SCALEWAY

Follow us:

Facebook Twitter Linkedin Youtube Github

© 2023 Plesk International GmbH. All rights reserved. Plesk and the Plesk logo are trademarks of Plesk International GmbH.

Managed with love with Plesk WP Toolkit

Plesk uses LiveChat system (3rd party).

By proceeding below, I hereby agree to use LiveChat as an external third party technology. This may involve a transfer of my personal data (e.g. IP Address) to third parties in- or outside of Europe. For more information, please see our Privacy Policy.

Search
Generic filters
Exact matches only
Search in title
Search in content
Search in excerpt