This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

LOIC/HOIC DDOS Attack

Go to solution
Anonymous
Not applicable

‎2013-05-15 09:26 AM

Hi All,

 

Can any on help me how to detect DOS or DDOS attack on the netwitness. I know this is something strange question but I faced it on my client side. I found there were few TCP packets which is having only 60 bytes and payload is having zero data and flag reset. On the same time I found few hits on the UDP traffic where source port is 53 and destination is 0 or dynamic 4 digit port numbers. I found it very strange and few of the UDP packet got root server boot information. Reported same to monitoring team and they also informed there is instant spike of TCP and UDP packets.

This suspects me it should be LOIC DOS attack where as I am not able to confirm it where as I asked to block immediately for few external IPs from which I saw major amount of hits.

Please suggest me if is there any good rule or observation for DOS/DDOS.

0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
RSAAdmin
Beginner
Beginner

‎2013-05-16 10:23 AM

Anil,

Good questions.  For most enterprises, the packet capture is typically deployed INSIDE the firewall and other perimeter control systems and this type of traffic is not typically visible.  LOIC usually has a payload that is observable.  Some of the things you describe-  the source port 53 for instance, sounds more like a DNS reflective attack.

 

Create some rules that describe the traffic you are seeing-  for instance, service=0 && tcp.srcport=53

Zero payload rule of payload=0

 

Then create an informer chart that monitors these types of alerts in real time, so when there is a spike in activity you can observe it and initiate your response workflow.

View solution in original post

0 Likes
5 REPLIES 5

Go to solution
RSAAdmin
Beginner
Beginner

‎2013-05-16 10:23 AM

Anil,

Good questions.  For most enterprises, the packet capture is typically deployed INSIDE the firewall and other perimeter control systems and this type of traffic is not typically visible.  LOIC usually has a payload that is observable.  Some of the things you describe-  the source port 53 for instance, sounds more like a DNS reflective attack.

 

Create some rules that describe the traffic you are seeing-  for instance, service=0 && tcp.srcport=53

Zero payload rule of payload=0

 

Then create an informer chart that monitors these types of alerts in real time, so when there is a spike in activity you can observe it and initiate your response workflow.

0 Likes

Go to solution
Anonymous
Not applicable
In response to RSAAdmin

‎2013-05-20 07:40 AM

The report is not giving me any result where as hits are there. I am not sure

0 Likes

Go to solution
RSAAdmin
Beginner
Beginner
In response to Anonymous

‎2013-05-20 03:58 PM

Remember, you have to create capture rules on the decoder to see this traffic.  Sourceports are not indexed.  Once you put the decoder rules in place you should be able to create an informer report looking for that rule alerting

0 Likes

Go to solution
Anonymous
Not applicable
In response to RSAAdmin

‎2013-06-11 02:25 AM

Apart from informer charts, is there any other way to detect it, like on the decoder dashboard there were real time graphs for CPU and session capture.

Is it possible to create real time graph for network traffic capturing because session capture would not be the good solution for DOS detection.

 

Now this is become very serious discussion on my client side as they got warn from twitter.

0 Likes

Go to solution
RSAAdmin
Beginner
Beginner
In response to Anonymous

‎2013-06-12 11:56 AM

Charting on the decoder is for decoder processes and metrics and does not look into packet payloads.  Again, however DDoS happens at the perimeter.  If a decoder is deployed there you might see the traffic, and if the DDoS is a very strong one, the decoder might have problems maintaining capture. 

 

Using software that analyzes routers to look for DDoS attacks is the better way to approach this issue.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.