// first 10 minutes
DDoS investigation — quick-start
DDoS investigation — first 10 minutes. absorb or divert traffic, then preserve. print this, check boxes, then run the primary tools.
checklist
- activate scrubbing center, CDN DDoS mode, or ISP null-route — traffic diversion before attribution.
- export firewall and netflow logs for the attack window — export now before circular log buffers overwrite.
- record attack start and peak times in UTC — not local time, and not 'around noon'.
- pull BGP routing table snapshot — hijacking and route injection attacks look like DDoS initially.
- export DNS query logs from authoritative and recursive resolvers — amplification attacks surface in query ratios.
- capture pcap sample if you can do so without saturating storage — 60-second sample at the edge is enough for signature extraction.
- identify attacking source IPs and ASNs — note whether they cluster in one ASN (botnet rental) or are globally distributed (botnet).
- pull your own app server error logs for the attack window — application-layer attacks target specific paths, not all traffic.
- notify your ISP upstream and file a BGP community block request if the source is narrow enough.
- begin the primary tool path below — netflow analysis and amplification source classifier.
primary tools
- 01pcap readerdrop a .pcap or .pcapng · parse packets · filter by protocol · extract HTTP · DNS · plaintext credentials · runs locally
- 02pcap / pcapng analyzerdrop a pcap or pcapng file · packet list · protocol breakdown · tcp stream reconstruction · dns queries · http requests · connection graph · runs locally
- 03netflow analyzerdrop netflow v5 v9 or ipfix exports · traffic patterns · top talkers · protocol distribution · geographic connections · runs locally
- 04PCAP network flow reconstructordrop pcap or pcapng file · parse all packets · reconstruct tcp and udp flows · compute flow statistics · surface top talkers unusual ports and flow anomalies · runs locally
- 05network flow anomaly detectordrop pcap pcapng or zeek conn log · apply statistical anomaly detection to network flows · surface outliers in byte count duration connection rate and port usage · identify scanning exfiltration and tunneling anomalies · runs locally
- 06tls ja3 fingerprinterdrop a pcap file · extract tls client hellos · compute ja3 fingerprints · identify known clients and malware · database of known fingerprints · runs locally
- 07passive os fingerprinter from pcapdrop a pcap file · reconstruct the operating system of every host from tcp/ip stack behavior · ttl values · window sizes · tcp options ordering · ip flag patterns · no active probing · identify os from existing captured traffic · runs locally
- 08nginx / apache log analyzerdrop access.log · parse combined log format · top IPs · paths · status codes · user agents · detect scanning · brute force · 404 storms · runs locally