Welcome, fellow defender. This script transforms the tedious process of rooting out malicious traffic into a streamlined, automated investigation tool for Plesk servers. It collects, filters, and reports on HTTP logs across multiple virtual hosts — with optional reputation checks via AbuseIPDB.
Current Version: v1.1.1 — Production Ready Security: Strict mode (
set -euo pipefail), secure temp dirs (mktemp), noevalTest Coverage: 100% (61/61 tests passing) Performance: Zero-copy log streaming, snapshot-based connection monitoring
- Live Connection Monitoring: Tracks ESTABLISHED, SYN_RECV, and TIME_WAIT states via
sssnapshots - SYN-Flood Detection: Automatic alerting when SYN_RECV counts exceed configurable thresholds
- Target IP Identification: Identifies specific server IPs under attack in multi-IP environments
- Domain Load Tracking: Live log tailing to identify most-targeted domains as attacks unfold
- Forensic Investigation: Extracts entries for a given attack date across all virtual hosts
- Zero-Copy Streaming: Direct log analysis from gzip/plain text sources — ~90% faster than copy-based approaches
- IP Reputation: Optional AbuseIPDB integration for automated scoring (Python 3 native parser)
- Domain-to-IP Correlation: Detailed reports showing precisely which domains each IP targeted
- Baseline Anomaly Detection: Flags spikes using configurable thresholds (default: 200% above baseline)
- Attack Windows: Precisely identifies start, peak, and recovery times for an incident
- CSV Export: Generate actionable metrics for spreadsheets and stakeholder reports
- Dry-Run Mode: Preview every action before execution
- Dual-Stack Support: Full IPv4 and IPv6 compatibility including internal range filtering
- Portable: Works across Linux distributions with minimal dependencies
- OS: Linux (tested on Ubuntu, Debian, RHEL, CentOS)
- Permissions: Root access required (system logs and network state)
- Utilities:
bash,grep,find,curl,python3(AbuseIPDB),ss(real-time mode),awk(hourly analysis)
# Make executable
chmod +x ddos-analysis.sh
# Post-mortem analysis (interactive)
sudo ./ddos-analysis.sh --log-days 3
# Real-time monitoring
sudo ./ddos-analysis.sh --real-time --refresh-rate 2
# With IP reputation lookup
export ABUSEIPDB_API_KEY="your_api_key_here"
sudo ./ddos-analysis.sh --with-abuseipdb-query| Flag | Purpose |
|---|---|
-d, --dry-run |
Preview actions without modification |
-l, --log-days DAYS |
Time window for log collection (default: 3) |
--date DATE |
Specify attack date (e.g. 15/Jan/2026) for non-interactive use |
--target-ip IP |
Filter investigation to a specific server IP |
--no-cleanup |
Retain timestamped investigation directory on exit |
--baseline-threshold % |
Sensitivity for hourly anomaly detection (default: 200) |
--export-csv |
Export hourly analysis to CSV |
# Non-interactive post-mortem with reputation lookup
./ddos-analysis.sh --date "15/Jan/2026" --target-ip "203.0.113.5" --with-abuseipdb-query
# High-sensitivity real-time monitoring
./ddos-analysis.sh --real-time --syn-threshold 100 --refresh-rate 1- Uses
ssto track ESTABLISHED and SYN_RECV connection counts - Alerts when SYN_RECV threshold is exceeded
- Ranks source IPs by active connection count
- Shows which server IPs are receiving the attack
- Tails recent access logs to identify most-targeted domains
- Creates secure working directory under
/tmp/ddos_investigation_<random> - Streams
access*files from all vhost directories - Filters entries by specified attack date
- Counts and sorts top IPs; runs optional AbuseIPDB lookup
- Maps each IP to the domains it targeted
| Problem | Fix |
|---|---|
| Permission denied | Run with sudo |
ss not found |
Install iproute2 |
| AbuseIPDB errors | Verify ABUSEIPDB_API_KEY is set and python3 is available |
- ROADMAP.md — development history and planned phases
- CHANGELOG.md — release history
- Apache License 2.0
- Plesk KB Article #12377282594199 — related knowledge base reference