Powershell function/tool to get IPs from HTTPErr logs based on frequency
Public facing web sites are increasingly getting exposed to distributed denial of service attacks. This tool is a link in a chain of measures to detect and mitigate DDOS. It can be downloaded from the Microsoft Script Center Repository. It analyses one or more HTTPErr log files and compiles a list of IPs that appear more than a given number of times. That number is 500 by default. These log files are located under C:\Windows\System32\LogFiles\HTTPERR by default.
To use this script, download it, adjust your PS execution policy as needed, unblock it, run it to load the function, and use in a controller script.
Sample usage and output:
Get-IPsFromLogs -Logs (Get-ChildItem -Path D:\Docs\EG\Sample).FullName -Verbose | FT -AutoSize
This example will parse each file in the D:\Docs\EG\Sample folder and output a master list of IPs that appeared more than 500 times in any file.
Output can be saved to CSV for archiving or further processing:
Get-IPsFromLogs -Logs (Get-ChildItem -Path D:\Docs\EG\Sample).FullName |
Export-Csv D:\Docs\EG\BlockList.csv -NoType
and the resulting CSV file:
Get-IPsFromLogs -Logs (Get-ChildItem -Path D:\Docs\EG\Sample).FullName -Threshold 400 -Verbose | FT -AutoSize
Using the same log files, lowering the threshold to 400 captured one additional IP address.
Lowering the threshold too much will increase the likelihood of false positives where you’re capturing IPs that are not part of DDOS attack.
Raising the threshold too much will result in failure to capture IPs that are participating in a DDOS attack.
One approach is to start with a high threshold, add the resulting IPs to the firewall block list (subject of future posts), and see if that mitigates the attack. If not, lower the threshold a bit more to capture more IPs. Repeat until DDOS is mitigated.