DDoS Attack Log Analysis

AttackPatterns Multi-Platform DDoS / Volumetric Attack

What This Means

Detect and analyze DDoS attacks in web server and network logs. Identify volumetric floods, application-layer attacks, and slowloris patterns to protect your infrastructure.

Example Log

-- Nginx access log showing HTTP flood:
203.0.113.1 - - [08/Mar/2026:14:00:01 +0000] "GET / HTTP/1.1" 200 5120 "-" "Mozilla/5.0"
203.0.113.2 - - [08/Mar/2026:14:00:01 +0000] "GET / HTTP/1.1" 200 5120 "-" "Mozilla/5.0"
203.0.113.3 - - [08/Mar/2026:14:00:01 +0000] "GET / HTTP/1.1" 200 5120 "-" "Mozilla/5.0"
-- 50,000 requests/second from 10,000+ unique IPs
-- Server response time degraded from 50ms to 12,000ms

Indicators of Suspicious Activity

Sudden spike in requests per second far exceeding normal traffic patterns
Thousands of unique source IPs making identical requests (botnet coordination)
All requests targeting the same endpoint or resource
Identical User-Agent strings across many different IPs
Server response times increasing dramatically during the attack
Connection queue exhaustion causing legitimate users to receive 503 errors

How to Investigate

Compare current traffic volume against baseline (normal peak vs attack peak)
Identify the attack type: volumetric (bandwidth), protocol (SYN flood), or application-layer (HTTP flood)
Analyze source IP distribution — are IPs from a specific region or globally distributed
Check if requests target a specific resource-intensive endpoint (amplification)
Review server metrics: CPU, memory, bandwidth, connection count during the incident
Determine if the attack is ongoing or has subsided

Recommended Mitigations

Deploy a CDN with DDoS protection (Cloudflare, AWS Shield, Akamai)
Implement rate limiting at the edge before traffic reaches your origin
Configure connection limits per IP using web server modules
Set up auto-scaling infrastructure to absorb traffic spikes
Prepare DDoS response runbooks with escalation procedures
Implement geographic blocking if your user base is regional

Scan This Log Instantly

Paste a suspicious log line below and get an instant AI-powered security assessment.

0 / 2000

What is 5 + 6?

Need a Full Investigation?

Scan entire log files, detect attack patterns, reconstruct timelines, and generate a full investigation report.

Run Smart Scan

Related Log Types

Related Attack Patterns

Frequently Asked Questions

What are the main types of DDoS attacks? ▼

Three categories: Volumetric (bandwidth flooding with UDP/ICMP), Protocol (SYN floods, ping of death targeting network stack), and Application-layer (HTTP floods, slowloris targeting web server resources). Application-layer attacks are hardest to detect.

How do I distinguish DDoS from a legitimate traffic spike? ▼

DDoS traffic typically shows: identical request patterns, unusual geographic distribution, uniform User-Agent strings, no session cookies or referrer headers, and requests that do not follow normal user browsing behavior.

Can I stop a DDoS attack with just a firewall? ▼

Traditional firewalls cannot stop large-scale DDoS because the volume overwhelms the network connection before reaching the firewall. You need upstream DDoS mitigation (CDN, scrubbing service, ISP-level filtering).