Network traffic analysis for IR: DDoS attack analysis
Distributed Denial of Service (DDoS) attacks are one of the powerful threats cyber weapons use today. We often hear about a website “destroyed by attackers” and in most cases a DDoS attack is the main cause of this failure.
A DDoS attack works by using multiple exploited machines as a source to attack network traffic. Each of these compromised computers is known as a bot or zombie which collectively establishes a botnet, a malicious network controlled by bot herders or botmasters. The DDoS attack prevents regular traffic from arriving at its desired destination by flooding it with unwanted traffic, such as a traffic jam obstructing the freeway.
Incident Response (IR) teams working in Security Operations Centers (SOC) perform network traffic analysis to analyze, detect and eliminate DDoS attacks. But before we analyze network traffic, we need to understand how threat actors exploit vulnerabilities to penetrate a network.
How does a DDoS attack work?
To carry out an attack, a DDoS attack must take control of online computers on a network. For this, each machine is infected with malware in order to turn it into a zombie (or bot).
Once a botnet is developed, attackers establish a connection with victim machines (or bots) usually through a command and control (C2) channel. The botnet targets the IP address of each victim in order to send a stream of packets causing an overflow of the targeted network or server, resulting in denial of service to users on normal traffic.
How dangerous can a DDoS attack be?
DDoS attack can have devastating consequences, especially for e-commerce companies like eBay, Amazon, or AliExpress, all of which rely heavily on their online availability to do their business. As said before, these attacks prevent the provision of services to legitimate customers (Read More …)