ashford-ddos-investigation — edge SYN flood + access log burst

what this proves

• all eight ddos-investigation primary engines produce deterministic, fixture-locked output — verified by npm run check:flagship (200/200 fleet · 8 for this scenario).
• every output is generated 100% locally in your browser — export pcap slices and logs, never upload edge captures.
• syn flood from 198.51.100.0/24, tls clienthello cluster, netflow v5 talkers, and nginx 620-request burst from 198.51.100.44 surface without sending evidence to a server.

primary engines locked to this fixture

• pcap-reader
• pcap-analyzer
• netflow-analyzer
• pcap-flow-reconstructor
• network-flow-anomaly-detector
• tls-ja3-fingerprinter
• passive-os-fingerprinter
• nginx-log-analyzer

build the case binder

runs all eight primary engines on the synthetic evidence zip and opens a self-contained html binder. uses the default binder renderer for ddos — no upload.

download the synthetic evidence

MIT-licensed, fully synthetic. includes edge attack slice pcap, netflow v5 export, nginx access log, and case summary against origin 203.0.113.50.

built deterministically from scripts/fixtures/build-ashford-ddos-investigation.mjs. seed: ashford-ddos-investigation:v1.

methodology

ddos is post-event scoping — pcap slice first, then netflow talkers, flow reconstruction, ja3 clusters, and nginx burst before retention windows roll. walk pcap reader → pcap analyzer → netflow → flow reconstructor → anomaly detector → ja3 → passive os → nginx log. read the full DDoS investigation guide →

after the playbook

run each primary locally — or export findings from the binder — then drop every csv/json into fatcousin-multi-tool-super-timeline-correlator. one timestamp-sorted timeline across syn flood onset, tls clienthello cluster, netflow talkers, flow anomaly, and nginx access burst — still zero upload.