Diagnose a DoS/DDoS attack on a Plesk server like a Pro

Diagnose a DoS/DDoS attack on a Plesk server with the experts at Bobcares by your side. 

At Bobcares, we offer solutions for every query, big and small, as a part of our Server Management Service.

Let’s take a look at how our Support Team is ready to help customers diagnose a DoS/DDoS attack on a Plesk server.

How to diagnose a DoS/DDoS attack on a Plesk server

Finding websites under attack and diagnosing Dos/DDoS attacks on Plesk has become an easy job with this handy guide by our skilled Support Engineers. We need to have strategies in place for a real-time attack as well as for an attack that is over. Fortunately, our Support Team has these approaches ready for Linux and Windows.

Diagnose a DoS/DDoS attack on a Plesk server

On Linux: How to diagnose a DoS/DDoS attack on a Plesk server

For real-time attack

    1. First, we have to connect to the server with the help of SSH.
    2. Next, we will determine the source IP addresses as well as the number of connections with the following command:
      # ss -tan state established | grep ":80|:443" | awk '{print $4}'| cut -d':' -f1 | sort -n | uniq -c | sort -nr
    3. Then, we will find which domains are currently under attack with this command:
      # for log in /var/www/vhosts/system/*/logs/*access*log; do echo -n "$log "; tail -n10000 "$log" | grep -c 203.0.113.2; done | sort -n -k2
    4. After that, we have to check the number of connections currently in the SYN_RECV state by executing this command:
      # ss -tan state syn-recv | wc -l
    5. In case there are multiple IP addresses in Plesk, we can also use the following command to determine the target IP address currently under attack:
      # netstat -lpan | grep SYN_RECV | awk '{print $4}' | cut -d: -f1 | sort | uniq -c | sort -nk 1

    In some scenarios. There may not be many established connections to the web servers. Instead, Nginx may be serving a lot of requests and even transferring them to Apache resulting in Apache being under attack. If so, we can track down the request with these steps courtesy of our Support Team:

    1. First, we will navigate to the /var/www/vhosts/system directory.
    2. Then, we have to generate file requests in order to fetch the number of requests made in the previous hour with the following command:
      # for i in *;do echo -n "$i "; grep '24/Jan/2022:20' $i/logs/access_ssl_log | awk '{print $1}' | wc -l;done > ~/requests
    3. Finally, we can check the generated file as seen below:
      # cat ~/requests | sort -k 2 -r -n | head
      example.com 24549
      example.net 18545
      test.com 3

    For finished attack

    1. First, we will connect to the server through SSH.
    2. Then, we have to create an environment for investigation by executing the following commands:
      # mkdir /root/inv
      # cd /var/www/vhosts/system
      # for i in *; do mkdir /root/inv/$i; done
    3. Next, we will populate the environment with the following log files for the last couple of days:

      # for i in *; do find $i -mtime -3 -type f -exec cp -a {} /root/inv/$i ;; done

    4. After that we have to unzip the processed log files as seen below:
      # cd /root/inv
      # for i in /root/inv/*/*; do [[ ${i:(-3)} == ".gz" ]] && gunzip $i ; done
    5. Then, we will remove statistics as well as configuration files with this command:
      # rm /root/inv/*/*.conf /root/inv/*/*.png /root/inv/*/*webalizer* /root/inv/*/*webstat */*html
    6. Next, we have to access the entries from the day of the attack and use them to create a report. For instance,
      # for i in *; do [[ -d $i ]] && grep -rh "[30/Oct/2017" ./$i > $i.accessed; done
    7. After that we will sort the entries by size and find the most used IP addresses:
      # ls -laS | less
      # cut -f 1 -d ' ' *.accessed | sort -n | uniq -c | sort -nr | less
    8. Finally, we can find the domains which have fallen victim to these IP addresses with this command:
      # grep -rc 203.0.113.2 /root/inv/*/* | sort -n -k2 -t:

    On Windows: How to diagnose a DoS/DDoS attack on a Plesk server

    For real-time attack

    1. First, we will connect to the server through RDP.
    2. Then, we have to start the command prompt and run these commands in order to check the connection on ports 80 and 443:
      C:>netstat -ano | find /c "80"
      C:>netstat -ano | find /c "443"
      
      

    Our Support Engineers would like to point out that a large number of connections(in hundreds or thousands) on the same port is a clear indication of the server being under a DDoS attack.

    [Looking for a solution to another query? We are just a click away.]

    Conclusion

    In essence, our skilled Support Engineers at Bobcares demonstrated how to diagnose a DoS/DDoS attack on a Plesk server.

    PREVENT YOUR SERVER FROM CRASHING!

    Never again lose customers to poor server speed! Let us help you.

    Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.

    GET STARTED