I recently experienced a DDoS attack. How do I analyze nginx webserver logs from that time window to detect what kind of DDoS it was? I'm using Microsoft Azure infrastructure (in case it matters).
I understand that log analysis tools like Loggly can be used. But I can't upload log files to that in order to analyze them – I need to instead connect the service to my live server and it gives me an analysis dashboard to use.
Best Answer
Well, only one of those types would even show up in your Nginx logs.
First, if it's a true DDoS, you likely have zero ability to do anything about it. Once the traffic hits your server, even if it's blocked at a firewall or throttled in your webserver, the traffic is already consuming your network bandwidth, and you can do nothing about it. Thus, it needs to be blocked "upstream", in the routing gear servicing your server.
To answer your question (from your comment), your webserver is an "application", running at OSI layer 7. It logs http-level things but knows nothing about the network layers below 7. In your list of DDoS types, all of the rest other than "application level attacks" happen at lower levels of your network stack than nginx, so you'll need to look elsewhere for information on those type of attacks.
It's likely that there are no logs on your server that will give you any indication to the nature of the attack unless you'd previously configured such logs in advance of the attack. Right now, the best you can do is prepare for the next time it happens, to ensure you have the right tools in your toolbox, and that your network provider is ready to mitigate from their end.