Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - DDoS Analysis Process InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

DDoS Analysis Process

Published: 2011-02-12
Last Updated: 2011-02-12 23:41:11 UTC
by Kevin Liston (Version: 1)
6 comment(s)


We sometimes get requests from people who are undergoing Denial of Service attacks. These days that usually means a Distributed Denial of Service attack. In our role at the Internet Storm Center, we're often limited to consultation roles and and can only recommend possible courses of action for the client. We don't have a canned response or top-three recommendations that will work in all cases; instead we have a process. Hopefully it can keep pace with the evolution of attacks.

Process Overview:

  • Gather Information
    • Get a list of attacking IPs from the client
      • whois/geoip profiling
    • description of the attack traffic
      • SYN only
      • complete session
      • special request or execution
    • pcaps are nice
      • allow additional fingerprinting
      • spoofed or not?
  • attack analysis
    • identify the weakness in the target
    • identify the weakness in the attack
  • formulate recommendations
    • remiediate target weakness
    • exploit attack weakness

An Example:

In the initial report we got a sample of source IPs and a description of the type of attack (e.g. SYN only.) Our initial response is to request a pcap sample of the attack. While that is underway we take look at the IP addresses from the first report. First there's a random sampling of IPs that we put through whois or geolocate to get an initial feel. In my random choice, it was Kazakhstan. A simple country code distribution of the full list had a heavy bias in Russia and the Ukraine.

Looking at the attack style, it was reported as SYNs-only. That kind of attack is easy to spoof, so I'm not so confident that the source IP addresses are accurate. I await the pcap.

Once it arrives we take a look at it in wireshark or other equivalent just to get a feel for the data. Just by eyeballing it we confirm that the SYN-only report was accurate. Next we begin a more in-depth analysis explore any theories that we may have. In my case, I'm interested in the validity of the source IPs. My approach is to build netflow data from the pcap and use that to filter out attackers from any legitimate customers that may have got through. I rely on argus to build the flow data and use a horrible combination of ra and awk to pull out the source IPs with flows that timed-out or had 0 bytes returned from the target. I can then feed that list of IPs into the geo-locator to get a distribution of the attackers. Another data-source is to passively fingerprint the attacking IPs and examine that distribution. I'm still using p0f for lack of a better alternative (although I did take Satori for a spin while writing this up.)


Is it uniform? Or does it have the feel of a exponential distribution? I admit that this process is far from rigorous (my apologies to all who have real statistics backgrounds.) The pcap itself is only a sample, so we're just looking to see if it's too random. In this case the distribution doesn't appear to be either uniform, nor clumped. So these IP addresses may be valid. Next we perform a similar plot of OS fingerprints.

Based on these observations we can get a feel if the source IPs are accurate or obviously-spoofed. In this case it still appears that these are legitimate IP addresses.

In addition to analyzing the source IPs, we give a similar treatment to the destination addresses. In this case, the stand-out is that it's only one IP that is targeted. This will play a factor in our recommendations below.

What does the attack look like? We've noted the SYN-only behavior, but are there other factors that could be leveraged? Things like TTL, and Byte-size? Perhaps the source port of the attacks has a pattern? In this case the source port had a uniformly random distribution. The estimated distance of the attackers ranged from 6 to 30 hops with most between 20 and 24 hops.

Now we have enough information to begin recommendations. Given that the attack is SYN-only, there are a number of SYN-flood defenses available at the server and the ISP-level. Additionally, if there is evidence that the attack is coordinated by IP address, we can exploit this weakness in the attack by moving the service over to a new IP and seeing how the attacker reacts.

Additional intelligence may be gained by paying extra attention to the outliers identified in the fingerprinting stage (for example the lone OpenBSD system or the handful of Linux systems.) These could be the systems that are monitoring the effect of the attack.


Keywords: ddos
6 comment(s)
Diary Archives