SBN

Network traffic analysis for IR: Analyzing DDoS attacks

Introduction

Distributed Denial-of-Service (DDoS) attacks are one of the powerful cyber weapons threat actors use today. We often hear about a website being “brought down by attackers,” and in most cases, a DDoS attack is the main cause behind this failure.

A DDoS attack works by using multiple exploited machines as a source to attack network traffic. Each of these compromised computers is known as a bot or zombie that collectively establish a Botnet — a malicious network controlled by bot herders or botmasters. The DDoS attack prevents regular traffic from arriving at its desired destination by flooding it with unwanted traffic, like a traffic jam clogging up the highway.

Incident response (IR) teams working in a Security Operation Centers (SOCs) perform network traffic analysis to analyze, detect and eliminate DDoS attacks. But before analyzing the network traffic, we need to understand how threat actors exploit vulnerabilities to penetrate a network. 

How does a DDoS attack work?

To carry out an attack, a DDoS attack must gain control of online computers on a network. To this end, each machine is infected by malware in order to turn it into a zombie (or bot). 

Once a botnet is developed, attackers establish a connection with victim machines (or bots) usually via a command-and-control (C2) channel. The botnet targets the IP address of each victim in order to send a stream of packets causing the targeted network or server to overflow capacity, resulting in denying services to users on normal traffic.

How dangerous can a DDoS attack be?

The DDoS attack can have devastating consequences, especially for E-commerce companies like eBay, Amazon or AliExpress — all of which rely heavily on their online availability to do their businesses. As said before, these attacks deny the provision of services to legitimate clients (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Fakhar Imam. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/1zk0nIZ2O68/