Visibility into a Real DDoS attack

•

1 like•749 views

This presentation describes a real DDoS attack and how an IntruGuard appliance gives you visibility into the attack by analyzing it further.

Technology

Hemant Jain’s Visibility into a Real Distributed Denial of Service (DDoS) Attack

Key Points to Note ,[object Object],[object Object]

Overall View Over a Month These two graphs here depict the daily traffic over a month’s period in terms of packet rate and Mbps respectively. The upper half is outbound traffic and the lower half (in negative) is the inbound traffic. You can see two peaks which correspond to two large inbound attacks. The purpose of the appliance is to maintain the normal traffic and only pass what’s legitimate. That’s what it is doing here by dropping the excess packets (shown as white ear under the maroon lines). What’s being allowed is the blue area.

View of another link This graph shows the second link on the same device. This link has larger and continuous attacks over the month’s period. As you can see the appliance maintains the normal behavior and drops excessive packets. This maroon line shows what’s incoming and the blue and green lines show what gets out of the appliance after DDoS mitigation based on behavioral analysis. The white envelope is the attack that’s getting dropped.

Tabular Form Data For The Links Note: Port 2 and Aux 2 here are connected to the Internet and Port 1 and Aux 1 are connected to the LAN side. If the attack ingresses on Port 2 and Aux 2, what gets forwarded on Port 1 Egress and Aux 1 Egress is the filtered traffic. DDoS mitigation (1) = Port 2 Ingress – Port 1 Egress DDoS mitigation (2) = Aux 2 Ingress – Aux 1 Egress

Aggregate Drop Traffic This graph shows the aggregate dropped traffic and gives you visibility into excess traffic that’s getting flitered by the appliance. Packets are dropped due to multiple reasons and are shown in different colors. These are drilled down further in subsequent graphs on subsequent pages.

Top Attacks and Top Attacker Reports IntruGuard appliances give you a visibility into the Top Attacks, Top Attackers, Top Attacked Destinations, etc. for the last 1 hour, 1 day, 1 week, 1 month, 1 Year. These IPs are obfuscated.

Packets Dropped at Layer 3 This graph shows the dropped traffic due to certain Layer 3 reasons which are shown in the table below.

Packets Dropped at Layer 4 This graph shows the dropped traffic due to certain Layer 4 reasons which are shown in the table below. More than 1 billion packets were dropped due to SYN flood during this period. And over 58 million packets dropped due to few specific IPs sending too many SYN packets/second.

Packets Dropped at Layer 7 This graph shows the dropped traffic due to certain Layer 7 reasons which are shown in the table below. IntruGuard appliances monitor HTTP opcodes, URLs and anomalies and can pinpoint the excessses in any one of the dimensions.

Count of Unique Sources This graph gives you a visibility into count of unique sources coming to your network. As you can see here, there is a large peak during Week 21 which corresponds to an attack. The number of unique sources almost reached 1 million. These could be spoofed IP addresses too.

Number of Established TCP Connections This graph shows the number of established TCP connections. Since there is no obvious peak here, and the previous graph of count of unique sources had a large peak, it means the attackers were primarily spoofed IPs.

Concurrent Connections/Source This graph shows the number of established TCP connections that any single source made. The appliance monitors up to 1 million sources. These are clipped to a certain threshold based on past behavior.

Conclusion ,[object Object],[object Object],[object Object]

For More Information ,[object Object],[object Object],[object Object],[object Object],[object Object]

Similar to Visibility into a Real DDoS attack

Assingment 4 - DDos

Jeewanthi Fernando

The Internet Threat Monitoring (ITM) is an efficient monitoring system used globally to measure, detect, characterize and track threats such as denial of service (DoS) and distributed Denial of Service (DDoS) attacks and worms. . To block the monitoring system in the internet the attackers are targeted the ITM system. In this paper we address the flooding attack of DDoS against ITM monitors to exhaust the network resources, such as bandwidth, computing power, or operating system data structures by sending the malicious traffic. We propose an information-theoretic frame work that models the flooding attacks using Botnet on ITM. One possible way to counter DDoS attacks is to trace the attack sources and punish the perpetrators. we propose a novel traceback method for DDoS using Honeypots. IP tracing through honeypot is a single packet tracing method and is more efficient than commonly used packet marking techniques.

IP Traceback for Flooding attacks on Internet Threat Monitors (ITM ) Using Ho...

IJNSA Journal

A Survey on Black Hole & Gray Hole Attacks Detection Scheme for Vehicular Ad-...

IRJET Journal

International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of Computer Science, Neural Networks, Electrical Engineering, Software Engineering, Information Technology, Mechanical Engineering, Chemical Engineering, Plastic Engineering, Food Technology, Textile Engineering, Nano Technology & science, Power Electronics, Electronics & Communication Engineering, Computational mathematics, Image processing, Civil Engineering, Structural Engineering, Environmental Engineering, VLSI Testing & Low Power VLSI Design etc.

Aw36294299

IJERA Editor

RSA - Behind the scenes of a fake token mobile app operation

juan_h

2015-cloud-security-report-q2

Gaurav Ahluwalia

Imperva's ADC analyzed real-world traffic from sixty Web applications in order to identify attack patterns. The report demonstrates that, across a community of Web applications, early identification of attack sources and attack payloads can significantly improve the effectiveness of application security. Furthermore, it reduces the cost of decision making with respect to attack traffic across the community. Here's how, based on the traffic analyzed by the ADC: (1) multiple target SQL attackers generated nearly 6x their share of the population (2) multiple target comment spam attackers generated 4.3x their share of the population (3) multiple target RFI attackers generated 1.7x their share of the population (this amounted to 73% of total attacks).

The Value of Shared Threat Intelligence

Imperva

Distributed denial of service (DDoS) attacks the target service providers by sending a huge amount of traffic to prevent legitimate users from getting the service. These attacks become more challenging in the software-defined network paradigm, due to the separation of the control plane from the data plane. Centralized software defined networks are more vulnerable to DDoS attacks that may cause the failure of all networks. In this work, a new approach is proposed based on q-learning to enhance the detection of DDoS attacks and reduce false positives and false negatives. The results of this work are compared with entropy detection in terms of the number of received packets to detect the attack and also the continuity of service for legitimate users. Moreover, these results indicate that the proposed system detects the DDoS attack from flash crowds and redirects the traffic to the edge of the data center. A second controller is used to redirect traffic to a honeypot server that works as a mirror server. This guarantees the continuity of service for both normal and suspected traffic until further analysis is done. The results indicate an increase of up to 50% in the throughput compared to other approaches.

Q-learning based distributed denial of service detection

IJECEIAES

Icimt 2010 procediing rp118 vol.2 d10122

Gulshan Shrivastava

In this paper I will highlight a modus operandi of hackers launching Denial of Service (DoS) cyberattacks. I will theoretically show how CAM Overflow and TCP SYN Flood attacks can be performed, using Kali Linux, a Linux distribution used by cyber criminals to launch MitM (Man-in-the-Middle) attacks, DoS attacks, observing traffic in a computer network, etc. Hackers can affect the functioning of devices on an organization’s local network (server, router, switch, etc.) by sending thousands of packets per second to the target device. CAM Overflow is an attack where a hacker aims to overcrowd the CAM table of a switch with MAC addresses, and TCP SYN Flood is an attack that can be launched against a server in the computer network. INTELLIGENCE INFO, Vol. 1, Nr. 1, Septembrie 2022, pp. 125-130 ISSN 2821 – 8159, ISSN – L 2821 – 8159, DOI: 10.58679/II52272 URL: https://www.intelligenceinfo.org/the-impact-of-dos-denial-of-service-cyberattacks-on-a-local-area-network-lan/

The impact of DoS (Denial of Service) cyberattacks on a Local Area Network (LAN)

Nicolae Sfetcu

1716 1719

Editor IJARCET

1716 1719

Editor IJARCET

Fortinet_FortiDDoS_Introduction

swang2010

1766 1770

Editor IJARCET

1766 1770

Editor IJARCET

Prolexic q2 2013 global d do s attack report

Prolexic Technologies

20320140501016

IAEME Publication

In general, network attack should be prohibited and information security technology should contribute to improve the trust of network communication. Almost network communication is based on IP packet that is standardized by the international organization. So, network attack does not work without following the standardized protocols and data format. Therefore, network attack also leaks information concerning adversaries by their IP packets. In this paper, we propose an effective choice for network attack scenario which counter-attacks adversary. We collect and analyze IP packets from the adversary, and derive network topology map of the adversary. The characteristics of topology map can be evaluated by the Eigen value of topology matrix. We observe the changes of characteristics of topology map by the influence of attack scenario. Then we can choose the most effective or suitable network counter-attack strategy. In this paper, we assume two kinds of attack scenarios and three types of tactics. And we show an example choice of attack using actual data of adversary which were observed by our dark-net monitoring.

TOPOLOGY MAP ANALYSIS FOR EFFECTIVE CHOICE OF NETWORK ATTACK SCENARIO

IJCNCJournal

IRJET- DDOS Detection System using C4.5 Decision Tree Algorithm

IRJET Journal

Identifying Malicious Data in Social Media

IRJET Journal

Similar to Visibility into a Real DDoS attack (20)

Assingment 4 - DDos

IP Traceback for Flooding attacks on Internet Threat Monitors (ITM ) Using Ho...

A Survey on Black Hole & Gray Hole Attacks Detection Scheme for Vehicular Ad-...

Aw36294299

RSA - Behind the scenes of a fake token mobile app operation

2015-cloud-security-report-q2

The Value of Shared Threat Intelligence

Q-learning based distributed denial of service detection

Icimt 2010 procediing rp118 vol.2 d10122

The impact of DoS (Denial of Service) cyberattacks on a Local Area Network (LAN)

1716 1719

Fortinet_FortiDDoS_Introduction

1766 1770

Prolexic q2 2013 global d do s attack report

20320140501016

TOPOLOGY MAP ANALYSIS FOR EFFECTIVE CHOICE OF NETWORK ATTACK SCENARIO

IRJET- DDOS Detection System using C4.5 Decision Tree Algorithm

Identifying Malicious Data in Social Media

Recently uploaded

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024

The Digital Insurer

Scaling API-first – The story of a global engineering organization Ian Reasor, Senior Computer Scientist - Adobe Radu Cotescu, Senior Computer Scientist - Adobe Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

apidays

Top 10 Most Downloaded Games on Play Store in 2024

SynarionITSolutions

Join our latest Connector Corner webinar to discover how UiPath Integration Service revolutionizes API-centric automation in a 'Quote to Cash' process—and how that automation empowers businesses to accelerate revenue generation. A comprehensive demo will explore connecting systems, GenAI, and people, through powerful pre-built connectors designed to speed process cycle times. Speakers: James Dickson, Senior Software Engineer Charlie Greenberg, Host, Product Marketing Manager

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

DianaGray10

Created by Mozilla Research in 2012 and now part of Linux Foundation Europe, the Servo project is an experimental rendering engine written in Rust. It combines memory safety and concurrency to create an independent, modular, and embeddable rendering engine that adheres to web standards. Stewardship of Servo moved from Mozilla Research to the Linux Foundation in 2020, where its mission remains unchanged. After some slow years, in 2023 there has been renewed activity on the project, with a roadmap now focused on improving the engine’s CSS 2 conformance, exploring Android support, and making Servo a practical embeddable rendering engine. In this presentation, Rakhi Sharma reviews the status of the project, our recent developments in 2023, our collaboration with Tauri to make Servo an easy-to-use embeddable rendering engine, and our plans for the future to make Servo an alternative web rendering engine for the embedded devices industry. (c) Embedded Open Source Summit 2024 April 16-18, 2024 Seattle, Washington (US) https://events.linuxfoundation.org/embedded-open-source-summit/ https://ossna2024.sched.com/event/1aBNF/a-year-of-servo-reboot-where-are-we-now-rakhi-sharma-igalia

A Year of the Servo Reboot: Where Are We Now?

Igalia

Automating Google Workspace (GWS) & more with Apps Script

wesley chun

Discord is a free app offering voice, video, and text chat functionalities, primarily catering to the gaming community. It serves as a hub for users to create and join servers tailored to their interests. Discord’s ecosystem comprises servers, each functioning as a distinct online community with its own channels dedicated to specific topics or activities. Users can engage in text-based discussions, voice calls, or video chats within these channels. Understanding Discord Servers Discord servers are virtual spaces where users congregate to interact, share content, and build communities. Servers may revolve around gaming, hobbies, interests, or fandoms, providing a platform for like-minded individuals to connect. Communication Features Discord offers a range of communication tools, including text channels for messaging, voice channels for real-time audio conversations, and video channels for face-to-face interactions. These features facilitate seamless communication and collaboration. What Does NSFW Mean? The acronym NSFW stands for “Not Safe For Work,” indicating content that may be inappropriate for professional or public settings. NSFW Content NSFW content encompasses material that is sexually explicit, violent, or otherwise graphic in nature. It often includes nudity, profanity, or depictions of sensitive topics.

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf

UK Journal

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

Product Anonymous

A Domino Admins Adventures (Engage 2024)

Gabriella Davis

How to Troubleshoot Apps for the Modern Connected Worker

ThousandEyes

presentation ICT roal in 21st century education

jfdjdjcjdnsjd

Strategies for Landing an Oracle DBA Job as a Fresher

Remote DBA Services

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024

The Digital Insurer

💉💊+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHABI}}+971581248768 +971581248768 Mtp-Kit (500MG) Prices » Dubai [(+971581248768**)] Abortion Pills For Sale In Dubai, UAE, Mifepristone and Misoprostol Tablets Available In Dubai, UAE CONTACT DR.Maya Whatsapp +971581248768 We Have Abortion Pills / Cytotec Tablets /Mifegest Kit Available in Dubai, Sharjah, Abudhabi, Ajman, Alain, Fujairah, Ras Al Khaimah, Umm Al Quwain, UAE, Buy cytotec in Dubai +971581248768''''Abortion Pills near me DUBAI | ABU DHABI|UAE. Price of Misoprostol, Cytotec” +971581248768' Dr.DEEM ''BUY ABORTION PILLS MIFEGEST KIT, MISOPROTONE, CYTOTEC PILLS IN DUBAI, ABU DHABI,UAE'' Contact me now via What's App…… abortion Pills Cytotec also available Oman Qatar Doha Saudi Arabia Bahrain Above all, Cytotec Abortion Pills are Available In Dubai / UAE, you will be very happy to do abortion in Dubai we are providing cytotec 200mg abortion pill in Dubai, UAE. Medication abortion offers an alternative to Surgical Abortion for women in the early weeks of pregnancy. We only offer abortion pills from 1 week-6 Months. We then advise you to use surgery if its beyond 6 months. Our Abu Dhabi, Ajman, Al Ain, Dubai, Fujairah, Ras Al Khaimah (RAK), Sharjah, Umm Al Quwain (UAQ) United Arab Emirates Abortion Clinic provides the safest and most advanced techniques for providing non-surgical, medical and surgical abortion methods for early through late second trimester, including the Abortion By Pill Procedure (RU 486, Mifeprex, Mifepristone, early options French Abortion Pill), Tamoxifen, Methotrexate and Cytotec (Misoprostol). The Abu Dhabi, United Arab Emirates Abortion Clinic performs Same Day Abortion Procedure using medications that are taken on the first day of the office visit and will cause the abortion to occur generally within 4 to 6 hours (as early as 30 minutes) for patients who are 3 to 12 weeks pregnant. When Mifepristone and Misoprostol are used, 50% of patients complete in 4 to 6 hours; 75% to 80% in 12 hours; and 90% in 24 hours. We use a regimen that allows for completion without the need for surgery 99% of the time. All advanced second trimester and late term pregnancies at our Tampa clinic (17 to 24 weeks or greater) can be completed within 24 hours or less 99% of the time without the need surgery. The procedure is completed with minimal to no complications. Our Women's Health Center located in Abu Dhabi, United Arab Emirates, uses the latest medications for medical abortions (RU-486, Mifeprex, Mifegyne, Mifepristone, early options French abortion pill), Methotrexate and Cytotec (Misoprostol). The safety standards of our Abu Dhabi, United Arab Emirates Abortion Doctors remain unparalleled. They consistently maintain the lowest complication rates throughout the nation. Our Physicians and staff are always available to answer questions and care for women in one of the most difficult times in their lives. The decision to have an abortion at the Abortion Cl

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...

?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@

With more memory available, system performance of three Dell devices increased, which can translate to a better user experience Conclusion When your system has plenty of RAM to meet your needs, you can efficiently access the applications and data you need to finish projects and to-do lists without sacrificing time and focus. Our test results show that with more memory available, three Dell PCs delivered better performance and took less time to complete the Procyon Office Productivity benchmark. These advantages translate to users being able to complete workflows more quickly and multitask more easily. Whether you need the mobility of the Latitude 5440, the creative capabilities of the Precision 3470, or the high performance of the OptiPlex Tower Plus 7010, configuring your system with more RAM can help keep processes running smoothly, enabling you to do more without compromising performance.

Boost PC performance: How more available memory can improve productivity

Principled Technologies

MINDCTI Revenue Release Quarter One 2024

MIND CTI

Artificial Intelligence Chap.5 : Uncertainty

Khushali Kathiriya

Axa Assurance Maroc - Insurer Innovation Award 2024

The Digital Insurer

🐬 The future of MySQL is Postgres 🐘

RTylerCroy

Boost Fertility New Invention Ups Success Rates.pdf

sudhanshuwaghmare1

Recently uploaded (20)

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

Top 10 Most Downloaded Games on Play Store in 2024

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

A Year of the Servo Reboot: Where Are We Now?

Automating Google Workspace (GWS) & more with Apps Script

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

A Domino Admins Adventures (Engage 2024)

How to Troubleshoot Apps for the Modern Connected Worker

presentation ICT roal in 21st century education

Strategies for Landing an Oracle DBA Job as a Fresher

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...

Boost PC performance: How more available memory can improve productivity

MINDCTI Revenue Release Quarter One 2024

Artificial Intelligence Chap.5 : Uncertainty

Axa Assurance Maroc - Insurer Innovation Award 2024

🐬 The future of MySQL is Postgres 🐘

Boost Fertility New Invention Ups Success Rates.pdf

Visibility into a Real DDoS attack

1. Hemant Jain’s Visibility into a Real Distributed Denial of Service (DDoS) Attack

3. Overall View Over a Month These two graphs here depict the daily traffic over a month’s period in terms of packet rate and Mbps respectively. The upper half is outbound traffic and the lower half (in negative) is the inbound traffic. You can see two peaks which correspond to two large inbound attacks. The purpose of the appliance is to maintain the normal traffic and only pass what’s legitimate. That’s what it is doing here by dropping the excess packets (shown as white ear under the maroon lines). What’s being allowed is the blue area.

4. View of another link This graph shows the second link on the same device. This link has larger and continuous attacks over the month’s period. As you can see the appliance maintains the normal behavior and drops excessive packets. This maroon line shows what’s incoming and the blue and green lines show what gets out of the appliance after DDoS mitigation based on behavioral analysis. The white envelope is the attack that’s getting dropped.

5. Tabular Form Data For The Links Note: Port 2 and Aux 2 here are connected to the Internet and Port 1 and Aux 1 are connected to the LAN side. If the attack ingresses on Port 2 and Aux 2, what gets forwarded on Port 1 Egress and Aux 1 Egress is the filtered traffic. DDoS mitigation (1) = Port 2 Ingress – Port 1 Egress DDoS mitigation (2) = Aux 2 Ingress – Aux 1 Egress

6. Aggregate Drop Traffic This graph shows the aggregate dropped traffic and gives you visibility into excess traffic that’s getting flitered by the appliance. Packets are dropped due to multiple reasons and are shown in different colors. These are drilled down further in subsequent graphs on subsequent pages.

7. Top Attacks and Top Attacker Reports IntruGuard appliances give you a visibility into the Top Attacks, Top Attackers, Top Attacked Destinations, etc. for the last 1 hour, 1 day, 1 week, 1 month, 1 Year. These IPs are obfuscated.

8. Packets Dropped at Layer 3 This graph shows the dropped traffic due to certain Layer 3 reasons which are shown in the table below.

9. Packets Dropped at Layer 4 This graph shows the dropped traffic due to certain Layer 4 reasons which are shown in the table below. More than 1 billion packets were dropped due to SYN flood during this period. And over 58 million packets dropped due to few specific IPs sending too many SYN packets/second.

10. Packets Dropped at Layer 7 This graph shows the dropped traffic due to certain Layer 7 reasons which are shown in the table below. IntruGuard appliances monitor HTTP opcodes, URLs and anomalies and can pinpoint the excessses in any one of the dimensions.

11. Count of Unique Sources This graph gives you a visibility into count of unique sources coming to your network. As you can see here, there is a large peak during Week 21 which corresponds to an attack. The number of unique sources almost reached 1 million. These could be spoofed IP addresses too.

12. Number of Established TCP Connections This graph shows the number of established TCP connections. Since there is no obvious peak here, and the previous graph of count of unique sources had a large peak, it means the attackers were primarily spoofed IPs.

13. Concurrent Connections/Source This graph shows the number of established TCP connections that any single source made. The appliance monitors up to 1 million sources. These are clipped to a certain threshold based on past behavior.

14.

15.

Visibility into a Real DDoS attack

Recommended

Recommended

More Related Content

Similar to Visibility into a Real DDoS attack

Similar to Visibility into a Real DDoS attack (20)

Recently uploaded

Recently uploaded (20)

Visibility into a Real DDoS attack