How to Identify Attacker IPs During a DDoS Attack: Server Log Analysis Techniques


2 views

When your server is under DDoS attack, the first step is identifying the malicious traffic sources. Here are the key log files and tools to examine:

1. Web Server Access Logs

For Apache:


tail -f /var/log/apache2/access.log
# Or for specific time frame:
grep "01/Jan/2024:12" /var/log/apache2/access.log | awk '{print $1}' | sort | uniq -c | sort -nr

For Nginx:


tail -f /var/log/nginx/access.log
# Filter suspicious requests:
awk '{print $1}' /var/log/nginx/access.log | sort | uniq -c | sort -nr | head -20

When the attack is at the network layer (SYN floods, UDP floods), you'll need to examine lower-level logs:


# Show active connections:
netstat -antp | grep -E 'SYN_RECV|ESTABLISHED'

# Monitor incoming packets in real-time:
tcpdump -nn -c 1000 | awk '{print $3}' | cut -d. -f1-4 | sort | uniq -c | sort -nr

Most firewalls log blocked connection attempts:


# For iptables:
grep DROP /var/log/kern.log
# Or for recent UFW blocks:
grep UFWB /var/log/ufw.log

For more sophisticated attacks, consider these tools:


# Install iftop for real-time bandwidth monitoring
sudo apt install iftop
sudo iftop -nNP

# Use tshark (Wireshark CLI) for deep packet inspection:
tshark -i eth0 -c 1000 -Y "ip.src != your.server.ip" -T fields -e ip.src | sort | uniq -c | sort -nr

Once you've identified malicious IPs, implement automated blocking:


# Temporary iptables block:
iptables -A INPUT -s 192.0.2.1 -j DROP

# For multiple IPs (from file):
while read ip; do iptables -A INPUT -s $ip -j DROP; done < malicious_ips.txt

# Persistent rules (Ubuntu):
iptables-save > /etc/iptables/rules.v4

If using cloud services, leverage their DDoS protection:

  • AWS: Use VPC Flow Logs and GuardDuty
  • GCP: Cloud Armor and VPC Flow Logs
  • Azure: Network Watcher and DDoS Protection

Remember that sophisticated attackers may spoof IPs or use botnets. Consider:

  • Implementing rate limiting before outright blocking
  • Using CAPTCHAs for suspicious traffic
  • Setting up fail2ban for automated protection

During a DDoS attack, your first priority should be identifying the malicious traffic sources. The challenge lies in distinguishing attack traffic from legitimate requests. Most attacks leave traces in these critical log files:

  • /var/log/nginx/access.log (NGINX)
  • /var/log/apache2/access.log (Apache)
  • /var/log/syslog (System logs)
  • /var/log/messages (Kernel messages)
  • /var/log/kern.log (Firewall drops)

Use this grep command to find high-frequency IPs in NGINX logs:

cat /var/log/nginx/access.log | awk '{print $1}' | sort | uniq -c | sort -nr | head -20

For Apache servers, try this alternative:

tail -n 10000 /var/log/apache2/access.log | awk '{print $1}' | sort | uniq -c | sort -nr | head -50

When dealing with sophisticated attacks, consider these additional techniques:

# Find IPs making excessive POST requests
grep "POST" /var/log/nginx/access.log | awk '{print $1}' | sort | uniq -c | sort -nr

# Identify suspicious user agents
awk -F\" '{print $6}' /var/log/nginx/access.log | sort | uniq -c | sort -rn | head -20

Once identified, block attackers using iptables:

# Single IP block
iptables -A INPUT -s 192.168.1.100 -j DROP

# Block entire subnet
iptables -A INPUT -s 203.0.113.0/24 -j DROP

# Make rules persistent
iptables-save > /etc/iptables/rules.v4

For application-layer attacks, examine these additional data sources:

  • Web application firewall (WAF) logs
  • CDN provider traffic reports
  • Rate limiting counters
  • TCP connection states (netstat -antp)

Implement these proactive measures:

# Configure fail2ban for automated blocking
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 86400

Remember that sophisticated attackers often spoof IPs or use botnets. Consider implementing rate limiting and geofencing for better protection.