fatcousin
// case type

DDoS investigation

post-event scoping of a volumetric / app-layer attack. evidence is pcap, flow, edge logs, and the botnet fingerprint.

tools
12
priority
L
processing
local · in browser

start here · primary tools

ordered. work top-down. the first tool is the suggested entry point for this case type.

  1. pcap readerdrop a .pcap or .pcapng · parse packets · filter by protocol · extract HTTP · DNS · plaintext credentials · runs locally
  2. pcap / pcapng analyzerdrop a pcap or pcapng file · packet list · protocol breakdown · tcp stream reconstruction · dns queries · http requests · connection graph · runs locally
  3. netflow analyzerdrop netflow v5 v9 or ipfix exports · traffic patterns · top talkers · protocol distribution · geographic connections · runs locally
  4. PCAP network flow reconstructordrop pcap or pcapng file · parse all packets · reconstruct tcp and udp flows · compute flow statistics · surface top talkers unusual ports and flow anomalies · runs locally
  5. network flow anomaly detectordrop pcap pcapng or zeek conn log · apply statistical anomaly detection to network flows · surface outliers in byte count duration connection rate and port usage · identify scanning exfiltration and tunneling anomalies · runs locally
  6. tls ja3 fingerprinterdrop a pcap file · extract tls client hellos · compute ja3 fingerprints · identify known clients and malware · database of known fingerprints · runs locally
  7. passive os fingerprinter from pcapdrop a pcap file · reconstruct the operating system of every host from tcp/ip stack behavior · ttl values · window sizes · tcp options ordering · ip flag patterns · no active probing · identify os from existing captured traffic · runs locally
  8. nginx / apache log analyzerdrop access.log · parse combined log format · top IPs · paths · status codes · user agents · detect scanning · brute force · 404 storms · runs locally

also useful · secondary tools

supporting and follow-up tools. surface as the investigation widens.

  1. http access log analyzerdrop apache nginx iis access logs · request timeline · top ips · error analysis · scanner detection · web shell access · sqli xss patterns · runs locally
  2. zeek / bro log analyzerdrop zeek tsv logs · conn dns http ssl files weird · correlate across logs · connection timeline · ioc extraction · runs locally
  3. irc botnet log analyzerdrop irc log files · detect bot commands · extract c2 channels · nick patterns · command flood · runs locally
  4. case report generatorfill in case number · examiner · dates · findings · drop evidence files for auto hash · generates structured forensic report PDF · runs locally
// case-kit pipeline

run as a stack

skip the click-through. these presets are curated forensic pipelines you can save as a stack with one click and run on your evidence locally.

  • DDoS — post-event scope

    9 steps

    drop netflow + pcap + DNS + edge logs → flow reconstruct → beacon detect → OS fingerprint → IOC extract → report

    1. 01evidence-manifest-generatorhash pcap + flow exports before analysis
    2. 02netflow-analyzernetflow summary — volumetric attack profile
    3. 03pcap-flow-reconstructorreconstruct flows from pcap for application-layer attack patterns
    4. 04dns-log-analyzerDNS query analysis for amplification / reflection sources
    5. 05cloudflare-log-analyzeredge log analysis if traffic passed through Cloudflare
    6. 06host-beaconing-detectordetect botnet beacon patterns in the attack traffic
    7. 07passive-os-fingerprinterpassive OS fingerprinting of attack source hosts
    8. 08ioc-extractorpull source IPs + ASNs from log text for blocking list
    9. 09case-report-generatordraft a report scoping attack volume + source infrastructure
// pattern-matched

related tools

tools that the manifest-classifier flagged as plausibly useful here but that aren't in the hand-curated lists above. less editorial weight — scan, don't work top-down.

ready