Question
How to diagnose a DoS/DDoS attack and find websites under attack on a Plesk server?
Answer
Â
On Linux
Â
Â
-
Connect to the server via SSH.
-
Determine the source IP addresses and numbers of the connections:
# ss -tan state established | grep “:80|:443” | awk ‘{print $4}’| cut -d’:’ -f1 | sort -n | uniq -c | sort -nr
-
Find the domains which are currently under attack:
# for log in /var/www/vhosts/system/*/logs/*access*log; do echo -n “$log “; tail -n10000 “$log” | grep -c 203.0.113.2; done | sort -n -k2
-
Check number of connections in SYN_RECV state (possible syn-flood):
# ss -tan state syn-recv | wc -l
-
If there are several IP addresses in Plesk, determine the target IP address under attack:
# netstat -lpan | grep SYN_RECV | awk ‘{print $4}’ | cut -d: -f1 | sort | uniq -c | sort -nk 1
Â
Â
-
Connect to the server via SSH.
-
Create an environment for investigation:
# mkdir /root/inv
# cd /var/www/vhosts/system
# for i in *; do mkdir /root/inv/$i; done -
Populate the environment with log files for the last few days:
# for i in *; do find $i -mtime -3 -type f -exec cp -a {} /root/inv/$i ;; done
-
Unzip processed log-files:
# cd /root/inv
# for i in /root/inv/*/*; do [[ ${i:(-3)} == “.gz” ]] && gunzip $i ; done -
Remove statistics and configuration files:
# rm /root/inv/*/*.conf /root/inv/*/*.png /root/inv/*/*webalizer* /root/inv/*/*webstat */*html
-
Get entries from the day of attack to form a report:
Note: As an example, 30/Oct/2017 will be used.
# for i in *; do [[ -d $i ]] && grep -rh “[30/Oct/2017” ./$i > $i.accessed; done
-
Sort the entries by size:
# ls -laS | less
Note: A size of a log file will be displayed. The higher the size of a log-file, the higher is a chance of it being targeted.
-
Find the most used IP addresses:
# cut -f 1 -d ‘ ‘ *.accessed | sort -n | uniq -c | sort -nr | less
Note: This command displays how many attempts to access a website each IP address performed in a time-frame specified on step 6.
-
Find the domains which were targeted by these IP addresses:
# grep -rc 203.0.113.2 /root/inv/*/* | sort -n -k2 -t:
Â
Â
On Windows Server
Â
Â
-
Connect to the server via RDP.
-
Start a command prompt and run the following commands to check the count of connections on ports 80 and 443:
C:> netstat -ano | find /c “80”
C:> netstat -ano | find /c “443”
Note: If there is a large number of connections (hundreds or thousands) to the same port, the server is likely under a DDoS attack
Â
Additional Information
Malicious activity of a source IP address can be checked on AbuseIPDB.
To secure websites against DDoS attacks, see this KB article.