Skip to content

Instantly share code, notes, and snippets.

@KoeSystems

KoeSystems/ddos_discovery.md

Last active February 16, 2021 20:06
Show Gist options
  • Save KoeSystems/37d0560cfa6eb02163cf1a5ebf5bfa9f to your computer and use it in GitHub Desktop.
Save KoeSystems/37d0560cfa6eb02163cf1a5ebf5bfa9f to your computer and use it in GitHub Desktop.
Download ZIP
DDoS origin discovery
Raw
ddos_discovery.md

Caveats!! a human brain must be used !!!

First, get ALL your access IPs from your HTTP server

cut -d' ' -f1 /var/log/nginx/access.log | sort | uniq > /tmp/all_ips

Now we can use a docker image to have the IPtoASN API https://iptoasn.com/ running locally

docker run -itd --name my-iptoasn -p 80:53661 ilyaglow/iptoasn-webservice

You can test your own IPtoASN with

curl http://127.0.0.1/v1/as/ip/8.8.8.8
{"announced":true,"as_country_code":"US","as_description":"GOOGLE - Google LLC","as_number":15169,"first_ip":"8.8.8.0","ip":"8.8.8.8","last_ip":"8.8.8.255"}

Now just iterate to get wonderful jsons for each IP.

for i in `cat /tmp/all_ips`; do curl -s http://127.0.0.1/v1/as/ip/$i >> /tmp/ip_origin.txt ; echo "" >> /tmp/ip_origin.txt ; done

With this you can run some statistics and determine what are the IPs used with DDoS

cut -d',' -f3 /tmp/ip_origin.txt | sort | uniq -c | sort -nk1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment