Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks are serious threats to any server, including those running Plesk. These attacks can cause significant disruption to your services by overwhelming the server with excessive traffic, rendering websites slow or completely unavailable. Detecting and mitigating these attacks in real time is crucial for minimizing the damage. In this guide, we’ll walk through how to diagnose a DoS/DDoS attack and identify affected websites on a Plesk server, both for Linux and Windows environments.

 

 

Real-Time Attack Diagnosis on a Linux Server

 

1. Connect to the Server via SSH

To begin investigating the attack, you’ll need SSH access to the server. Use the following command to connect:

 
ssh user@server-ip
 

Once connected, you can begin diagnosing the attack.

 

2. Determine the Source IP Addresses and Number of Connections

The first step is to identify the IP addresses generating excessive traffic. This can be done by checking the number of connections established on ports 80 (HTTP) and 443 (HTTPS).

Run the following command:

 
ss -tan state established | grep ":80\|:443" | awk '{print $4}' | cut -d':' -f1 | sort -n | uniq -c | sort -nr

Sample Output:
  150 192.168.1.10
  100 203.0.113.2
   50 192.168.1.15
   30 203.0.113.3
   25 192.168.1.20
 

This command will show you the IPs that have established connections to the server on the HTTP and HTTPS ports, sorted by the number of connections.

 

3. Identify the Domains Under Attack

To determine which websites are being targeted, you can check the access logs for recent connections. Run the following script to search through access logs of all domains:

 
for log in /var/www/vhosts/system/*/logs/*access*log; do
  echo -n "$log "; tail -n10000 "$log" | grep -c 203.0.113.2;
done | sort -n -k2

Sample Output: /var/www/vhosts/system/example.com/logs/access_log 45
/var/www/vhosts/system/test.com/logs/access_log 5
/var/www/vhosts/system/example.net/logs/access_log 20
 

Replace 203.0.113.2 with the suspected attacker's IP. This will help identify which domains are receiving the most requests from that specific IP.

 

4. Check for SYN Floods

SYN flood attacks are a common form of DoS attack where the server’s resources are exhausted by incomplete TCP connection requests. To check for this, run:

 
ss -tan state syn-recv | wc -l

Sample Output: 300
 

This command shows the number of connections in the SYN_RECV state, which can indicate a possible SYN flood attack.

 

5. Identify the Target IP Address Under Attack

If the server is under attack, there may not be many established connections to the web server, but there might be a large number of requests that Apache or Nginx is processing. To pinpoint the target, use the following command:

 
netstat -lpan | grep SYN_RECV | awk '{print $4}' | cut -d: -f1 | sort | uniq -c | sort -nk 1

Sample Output:
  180 192.168.1.10
  150 203.0.113.2
  100 192.168.1.15
   50 192.168.1.20
 

This will identify the most common target IP addresses under attack.

 

6. Track Requests Processed by Apache and Nginx

Requests may be getting handled by Nginx before reaching Apache. To track the number of requests served by Nginx, navigate to the /var/www/vhosts/system directory:

 
cd /var/www/vhosts/system
 

Generate a file that logs the number of requests in the last hour:

 
for i in *; do echo -n "$i "; grep '24/Jan/2022:20' $i/logs/access_ssl_log | awk '{print $1}' | wc -l; done > ~/requests
 

Replace 24/Jan/2022:20 with the timestamp you want to track.

To view the requests, run:

 
cat ~/requests | sort -k 2 -r -n | head

Sample Output in ~/requests:
example.com 24549
example.net 18545
test.com 3
 

This will show the domains with the highest number of requests in the last hour, helping you identify the most targeted websites.

 

Finished Attack Diagnosis on a Linux Server

If you are investigating a completed attack, you’ll need to gather and analyze logs over the last few days.

 

1. Set Up an Investigation Environment

Create a directory for storing investigation files:

mkdir /root/inv

Next, go to the /var/www/vhosts/system directory and create directories for each domain:

 
cd /var/www/vhosts/system
for i in *; do mkdir /root/inv/$i; done

Sample Output:
/root/inv/example.com
/root/inv/example.net
/root/inv/test.com
 

2. Copy Relevant Logs

Copy logs from the last few days into your investigation environment:

 
for i in *; do find $i -mtime -3 -type f -exec cp -a {} /root/inv/$i \;; done

Sample Output:
/root/inv/example.com/access_log
/root/inv/example.com/error_log
/root/inv/example.net/access_log
/root/inv/test.com/access_log
 

3. Unzip Log Files

If the logs are compressed, unzip them for easier access:

 
cd /root/inv
for i in /root/inv/*/*; do [[ ${i:(-3)} == ".gz" ]] && gunzip $i ; done

Sample Output:
/root/inv/example.com/access_log
/root/inv/example.com/error_log
/root/inv/example.net/access_log
 

4. Remove Irrelevant Files

Delete unnecessary configuration and statistic files to focus on the logs:

 
rm /root/inv/*/*.conf /root/inv/*/*.png /root/inv/*/*webalizer* /root/inv/*/*webstat */*html

Sample Output:
Removing: /root/inv/example.com/example.conf
Removing: /root/inv/example.net/webalizer_stats.png
 

5. Extract Logs from the Day of the Attack

To focus on the attack period, extract log entries from the day of the attack. For example, if the attack occurred on October 30, 2017:

 
for i in *; do [[ -d $i ]] && grep -rh "\[30/Oct/2017" ./$i > $i.accessed; done

Sample Output:
/root/inv/example.com/example.accessed
/root/inv/example.net/example.accessed
 

6. Analyze Log Files by Size

To find the most targeted websites, sort the log files by size:

 
ls -laS | less

Sample Output:
-rw-r--r-- 1 root root 120K Oct 30 10:00 example.com.accessed
-rw-r--r-- 1 root root 80K Oct 30 10:05 example.net.accessed
-rw-r--r-- 1 root root 25K Oct 30 10:15 test.com.accessed
 

Larger log files indicate more requests during the attack.

 

7. Identify the Most Frequent IP Addresses

To see which IPs made the most requests, use the following command:

 
cut -f 1 -d ' ' *.accessed | sort -n | uniq -c | sort -nr | less

Sample Output:
100 203.0.113.2
80 192.168.1.10
50 203.0.113.3
30 192.168.1.15
 

This will help identify the IP addresses involved in the attack.

 

8. Find the Domains Targeted by Specific IPs

Finally, you can identify which domains were targeted by each IP:

 
grep -rc 203.0.113.2 /root/inv/*/* | sort -n -k2 -t:

Sample Output:
/root/inv/example.com/example.accessed:45
/root/inv/example.net/example.accessed:10
/root/inv/test.com/example.accessed:3 Replace 203.0.113.2 with the IP address you want to investigate.
 

Real-Time Attack Diagnosis on a Windows Server

For Windows servers, diagnosing a DoS/DDoS attack is straightforward using built-in tools.

 

1. Connect to the Server via RDP

Use Remote Desktop Protocol (RDP) to connect to your Windows server.

 

2. Check the Number of Connections on Ports 80 and 443

Open the Command Prompt and run the following commands to check for a high number of connections to HTTP (port 80) and HTTPS (port 443):

 
C:\> netstat -ano | find /c "80"
Sample Output: 150

C:\> netstat -ano | find /c "443"
Sample Output: 200
 

If you see hundreds or thousands of connections to these ports, the server is likely under a DDoS attack.

 

Conclusion

Diagnosing a DoS/DDoS attack on a Plesk server requires a combination of monitoring server load, analyzing logs, and checking network traffic. By using the tools and techniques described in this guide, you can identify which websites are under attack and take the necessary steps to mitigate the attack. Remember to regularly monitor traffic, implement security measures like firewalls, and consider third-party DDoS protection services to prevent future attacks.

Was this answer helpful? 0 Users Found This Useful (0 Votes)

Most Popular Articles

How to Assign Permissions to Files and Folders in Plesk Control Panel?

In Plesk, adjusting file and folder permissions lets you decide who can see your files and what...
How to Blacklist a Domain in Plesk?

At some point in managing your email server, you may encounter the need to blacklist a domain in...
How to enable automatic backups in Plesk Control Panel?

Log in to the Plesk panel with the username and password: Step 1: The URL of the Plesk control...
How to add domain and subdomain in Plesk Control Panel?

This article will guide you through the steps to add a new domain or subdomain in the Plesk...
How to create MSSQL database using Plesk?

Please refer to the following steps to create an MSSQL database from Plesk. Log in to your...