Monitoring distributed denial of service

The common mistake many people or tools make in monitoring distributed denial of service attacks is to search only the default feature strings, default ports, default passwords, and so on for those DDoS tools. To establish a network intrusion monitoring system (NIDS) monitoring rules for these tools, people must focus on the analysis of the general characteristics of DDoS network communication, whether obvious or fuzzy.
The DDoS tool generates two kinds of network communication information: Control information Communication (between the DDoS client and the server side) and the network traffic (between the DDoS server and the target host).

According to the following anomaly phenomena, the corresponding rules are established in the network intrusion Monitoring system, which can monitor the DDoS attacks more accurately.

Anomaly 0: Although this is not really a "DDoS" communication, it can be used to determine the source of a DDoS attack. According to the analysis, the attacker would always resolve the target's host name before DDoS attacks. The BIND domain name server can record these requests. Because each attack server makes a PTR reverse lookup request before an attack, the domain name server receives a large number of PTR query requests that reverse resolves the destination IP host name before the DDoS attack.

Anomaly 1: When DDoS attacks a site, there will be significantly beyond the normal operation of the network limit traffic phenomenon. Now the technology can calculate the corresponding limit value for the different source address respectively. When this limit is significantly exceeded, the communication of DDoS attacks is indicated. ACL access control rules can therefore be established on the backbone router side to monitor and filter these traffic.

Anomaly 2: Large type of ICP and UDP packets. A normal UDP session typically uses a small UDP packet, usually with no more than 10 bytes of valid data content. The normal ICMP message will not exceed 64 to 128 bytes. Data packets that are significantly larger in size are likely to be used to control information communications, mainly with encrypted destination addresses and some command options. Once the control information communication is captured (without forgery), the location of the DDoS server is not hidden, because the destination address of the control information communication packet is not forged.

Exception 3: TCP and UDP packets that are not part of normal connection traffic. The most insidious DDoS tools randomly use a variety of communication protocols (including connectionless protocols) to send data based on connectionless channels. Excellent firewall and routing rules can discover these packets. In addition, packets that are connected to a target port above 1024 and that are not part of a common network service are also highly questionable.

Exception 4: Data segment content contains only literal and numeric characters (for example, no spaces, punctuation, and control characters) packets. This is often a feature that data is BASE64 encoded and only contains Base64 character set characters. The control information packet sent by tfn2k is this type of packet. The characteristic pattern of tfn2k (and its variants) is that there is a string of a characters (AAA ...) in the data segment. , which is the result of adjusting the size of the data segment and the encryption algorithm. If the BASE64 encoding is not used, the contiguous character is "a" for using the cryptographic algorithm packet.

Anomaly 5: Data segment content contains only binary and high-bit packets. Although binary files may be transferred at this time, if these packets are not part of a normal, valid communication, it is possible to suspect that a control information communication packet that is not BASE64 encoded but encrypted is being transmitted. (If you implement this rule, you must exclude transmissions on ports 20, 21, 80, and so on.) ）