Distributed Denial of Service

Wiki > Distributed Denial of Service
Description Kill Chain Stage
A distributed denial of service (DDoS) attack is one where multiple compromised systems attack a single target, thereby causing a denial of service for users of the targeted system. The flood of incoming messages to the target system will force it to shut down, and will deny the service to legitimate users.

 

 
Threat type to monitor
■    Higher than normal resource utilisation

■    Resources made unavailable

Monitoring setup
Active Directory

■    DNS

■    DHCP

■    Firewall

■    VPN concentrator

Events Indicators
■    Firewall connections from unknown external IP addresses

■    High number of connections at odd hours

■    Uncommon (>1024) Port numbers used for connections on the firewall

■    Increase in packet drops on the firewall

■    Unscheduled reboots of the systems

■    Unexpected increase in DNS requests

■    Sudden increase in the resource utilisation of the devices

Rules
■    Multiple SYN packets from the same source

■    SYN Flood Log messages

■    Web DoS alert

■    UDP DoD tool use detection

■    HTTP GET flood

Category: