Page 14 - Cyber Warnings
P. 14







Those raw NetFlow details sure are useful, because there is in fact a huge increase in the
number of unique source IP addresses sending traffic to particular destination IPs. This tells us
that we’re not looking at a large file transfer from a single machine, but a highly distributed set of
senders. Botnet much?



Who’s Getting Hammered?


The next step is to determine which IP or IPs are getting all this (probably unwanted) traffic from
14,000 or so individual host IPs.
































The ability to dig into high volumes of host-level NetFlow details again proves its utility. We can
see that the main target is a solitary destination IP address: 10.10.10.1 (actual address
anonymized to protect the victim). There’s really only one likely explanation for traffic from
thousands of hosts in a country which you have no business dealings with, to a single IP, that
suddenly spikes from nearly nothing to more than 1 Gbps: This is a DDoS attack. Note that this
isn’t a mega attack, but it can still cause real problems for whatever is running on that individual
host, and anything else that depends on it. If it’s your DNS server, it might make it impossible for
lots of other servers and applications to function.


Going Deeper



Now that we know it’s a DDoS attack, we shouldn’t stop because what if that attack is coming
from other countries besides China? We pivot our analysis again to widen our lens.





14 Cyber Warnings E-Magazine – August 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide

   9   10   11   12   13   14   15   16   17   18   19