DDoS investigation
post-event scoping of a volumetric / app-layer attack. evidence is pcap, flow, edge logs, and the botnet fingerprint.
a guided path, not automation — each step opens a tool you run yourself; nothing uploads. progress is saved only in this browser.
wraps the DDoS — post-event scope preset — drop netflow + pcap + DNS + edge logs → flow reconstruct → beacon detect → OS fingerprint → IOC extract → report
guided steps
- PCAP network flow reconstructor
reconstruct flows from pcap for application-layer attack patterns
- dns query log analyzer
DNS query analysis for amplification / reflection sources
- cloudflare waf & access log analyzer
edge log analysis if traffic passed through Cloudflare
- host-based beaconing detector
detect botnet beacon patterns in the attack traffic
- passive os fingerprinter from pcap
passive OS fingerprinting of attack source hosts
- ioc extractor
pull source IPs + ASNs from log text for blocking list
suggested options · format: json · aggregate: true
- case report generator
draft a report scoping attack volume + source infrastructure
suggested options · title: DDoS — post-event scope
when you're done
export a run summary — a small JSON record of which steps you marked done, your notes, and a self-hash so the record can't be silently altered. it is your reproducibility note, not a per-tool receipt: each tool emits its own input→output receipt when you run it.