How to diagnose a DoS/DDoS attack and find websites under attack on a Plesk server

Connect to the server via SSH.

Determine the source IP addresses and numbers of the connections:

# ss -tan state established | grep “:80|:443” | awk ‘{print $4}’| cut -d’:’ -f1 | sort -n | uniq -c | sort -nr

Find the domains which are currently under attack:

# for log in /var/www/vhosts/system/*/logs/*access*log; do echo -n “$log “; tail -n10000 “$log” | grep -c 203.0.113.2; done | sort -n -k2

Check number of connections in SYN_RECV state (possible syn-flood):

# ss -tan state syn-recv | wc -l

If there are several IP addresses in Plesk, determine the target IP address under attack:

# netstat -lpan | grep SYN_RECV | awk ‘{print $4}’ | cut -d: -f1 | sort | uniq -c | sort -nk 1

Connect to the server via SSH.

Create an environment for investigation:

# mkdir /root/inv
# cd /var/www/vhosts/system
# for i in *; do mkdir /root/inv/$i; done

Populate the environment with log files for the last few days:

# for i in *; do find $i -mtime -3 -type f -exec cp -a {} /root/inv/$i ;; done

Unzip processed log-files:

# cd /root/inv
# for i in /root/inv/*/*; do [[ ${i:(-3)} == “.gz” ]] && gunzip $i ; done

Remove statistics and configuration files:

# rm /root/inv/*/*.conf /root/inv/*/*.png /root/inv/*/*webalizer* /root/inv/*/*webstat */*html

Get entries from the day of attack to form a report:

Note: As an example, 30/Oct/2017 will be used.

# for i in *; do [[ -d $i ]] && grep -rh “[30/Oct/2017” ./$i > $i.accessed; done

Sort the entries by size:

# ls -laS | less

Note: A size of a log file will be displayed. The higher the size of a log-file, the higher is a chance of it being targeted.

Find the most used IP addresses:

# cut -f 1 -d ‘ ‘ *.accessed | sort -n | uniq -c | sort -nr | less

Note: This command displays how many attempts to access a website each IP address performed in a time-frame specified on step 6.

Find the domains which were targeted by these IP addresses:

# grep -rc 203.0.113.2 /root/inv/*/* | sort -n -k2 -t:

Connect to the server via RDP.

Start a command prompt and run the following commands to check the count of connections on ports 80 and 443:

C:> netstat -ano | find /c “80”

C:> netstat -ano | find /c “443”

Note: If there is a large number of connections (hundreds or thousands) to the same port, the server is likely under a DDoS attack