fatcousin
// investigation guide

DDoS investigation — methodology

ddos investigation is not watching a graph turn red. it is post-event scoping — what hit the edge, from where, with what fingerprint, and whether the app layer saw a parallel burst. your job is to correlate pcap slices, flow exports, and access logs into a source list and botnet signature — ja3 clusters and passive os fingerprints outlast single ips — before retention windows roll and your isp scrubs the detail you need for blocking and abuse reports.

what evidence exists and how fast it dies

artifactvolatilitytime to loss
edge pcap slice (during attack)rollinghours — ring buffers overwrite fast at line rate
netflow / sflow / ipfix exportrolling7–30 days typical; longer if archived to cold storage
nginx / apache access logsrolling7–90 days depending on retention policy
cdn / scrubber dashboard exportsrolling30 days common on vendor portals
firewall session / threat logsrolling30–90 days; often summarized after 7 days
isp upstream flow detailrequest-dependentmust be requested during attack or within days

the first 10 minutes

  1. confirm mitigation is active — do not pull logs while still absorbing unmitigated flood.
  2. export edge pcap slice covering attack peak — even 60 seconds at line rate helps.
  3. pull netflow / sflow for the attack window plus 15 minutes baseline before onset.
  4. export nginx or reverse-proxy access logs for the same window.
  5. note target ip, port, and protocol — syn flood vs https get storm vs udp amplification differ.
  6. identify top 20 source ips by bytes and packets from flow export.
  7. check for shared ja3 or user-agent clusters across sources.
  8. open isp / upstream ticket for flow detail if your edge only saw scrubbed traffic.
  9. begin blocklist draft from flow talkers — do not wait for full attribution.
  10. begin the path below.

the path

  1. 1. pcap reader

    edge attack slice pcap. packet count, link type, and per-packet 5-tuple summary — confirms capture scope before deep analysis.why first: you need to know the slice is complete and the target port before you trust flow stats.

  2. 2. pcap analyzer

    same edge pcap. protocol breakdown, syn/tls/http flags, conversation keys — surfaces syn flood vs tls clienthello vs cleartext get mix.why second: volumetric attacks hide in aggregate — protocol labels separate syn noise from app-layer bursts.

  3. 3. netflow analyzer

    netflow v5 edge export. top talkers, bytes/packets per source, tcp flag summary — 40 bot talkers in the fixture slice.why third: pcap is a slice; netflow gives the volumetric profile your edge saw across the full window.

  4. 4. pcap flow reconstructor

    edge pcap flows. per-flow duration, byte counts, tcp state, short-flow and no-syn anomalies — maps half-open syn and tls hello patterns.why fourth: flow reconstruction turns packet noise into blockable source/port tuples.

  5. 5. network flow anomaly detector

    reconstructed flows from pcap. z-score outliers on bytes and rate — flags statistical spikes across the botnet slice.why fifth: not every source in the /24 is equal — anomaly scoring prioritizes the heaviest talkers.

  6. 6. tls ja3 fingerprinter

    tls clienthello records in the pcap. ja3 hash clusters across sources — shared bot kit fingerprint even when ips rotate.why sixth: ja3 clusters tie disparate ips to the same malware family or stress tool.

  7. 7. passive os fingerprinter

    syn packets from attack sources. ttl/window/mss fingerprint — mixed os guesses across the botnet (linux 5.x cluster in fixture).why seventh: os fingerprint diversity hints at a heterogeneous botnet vs a single compromised subnet.

  8. 8. nginx log analyzer

    nginx access log export. request rate per ip, status codes, scan paths, user-agent — 620-request burst from a single source in fixture.why last: app-layer floods leave path and ua artifacts that pure syn captures miss.

common false leads

  • one noisy ip is the whole attack — volumetric floods spread across hundreds of sources in a /24 or wider.
  • syn flood means no app-layer evidence — parallel https get storms and tls hello bursts are common.
  • blocking the top talker ends it — botnets rotate sources; fingerprint (ja3, ua, syn stack) outlasts single ips.
  • mitigation graphs are enough for scope — scrubbers aggregate away the per-source detail you need for abuse reports.
  • all attack traffic looks like linux — heterogeneous botnets mix os fingerprints; one outlier ip may be a reflector, not the bot.

what we can tell you, what we can't

we can tell you:

  • pcap packet and protocol breakdown from your edge slice
  • netflow talker rankings and tcp flag summaries
  • flow reconstruction with short-flow and anomaly flags
  • ja3 clusters and passive os fingerprints from captured packets
  • nginx access log rate anomalies, paths, and user-agent patterns

we can't tell you:

  • live botnet c2 attribution — intel and law enforcement territory
  • upstream isp flow detail you did not export during the window
  • whether a specific ip is a compromised host vs spoofed source without your isp's validation
  • guaranteed mitigation efficacy — network team must deploy blocks in your stack

handing it off

  • network / soc: top talker ip list, ja3 hash, block recommendations, nginx ua/path iocs.
  • isp / upstream: attack window timestamps, target ip:port, peak bps/pps from your flow export.
  • law enforcement / abuse desk: representative pcap slice, netflow summary, shared ja3 fingerprint.

further reading

reference investigation

synthetic fixture ashford-ddos-investigation — edge syn flood from 198.51.100.0/24 against origin 203.0.113.50, tls clienthello cluster, netflow v5 talkers, nginx 620-request burst from 198.51.100.44, seed ashford-ddos-investigation:v1. compare output via npm run check:flagship.

fixture download: evidence zip · proof page: /forensics/proof/ashford-ddos-investigation · case playbook: case type tools

run the ddos kit →forensics home
ready