Online Courses
Cyber Threat Hunting
Online Courses
Cyber Threat Hunting
  • Cyber Threat Hunting
  • Introduction
    • What is cyber threat hunting?
    • Implementation considerations
    • Threat hunting models
    • Benefits of threat hunting
  • Threat Hunting Artifacts and Types
    • Artifacts and types
    • IOCs and IOAs
    • Indicators of compromise
    • Tactics, techniques and procedures (TTPs)
  • Threat hunting techniques and generative AI
    • Aggregation of data sources
    • Anomalies and baselining
      • Baselining
      • Searching
      • Grouping and clustering with AI
  • Threat hunting methodologies
    • Introduction
    • Structured hunting (MITRE)
    • Unstructured hunting
    • Entity driven hunting
  • Threat hunting data and technologies
    • Data and technologies
    • Network data
    • Endpoint data
    • Security information and event management (SIEM)
    • Threat intelligence platforms
    • Ticketing/SOAR
  • Cyber threat hunting process
    • Introduction
    • Scoping and hypothesis development
    • Formulate
    • Execution
    • Cyber threat hunting: Lessons learned
  • Cyber threat hunting scenarios
    • Structured hunt scenario
    • Unstructured hunt scenario
    • Entity-driven hunt scenario
    • Situation-driven hunt scenario
  • Hunting for network-based threats
    • Network Threats
    • DNS abnormalities
    • Hunting for DDoS activity
    • Hunting for suspicious domains
    • Hunting for irregular traffic
  • Hunting for host-based threats
    • Host-based threats
    • Malware
    • Hunting for irregular processes
    • Process hierarchy
    • Detecting lateral movement
    • Hunting for malicious files
    • Database swells
  • Quiz
Powered by GitBook
On this page
  • Wht is a DDOS?
  • Indicators of a DDoS attack
  • Hunting for DDoS activity
  1. Hunting for network-based threats

Hunting for DDoS activity

Wht is a DDOS?

A Distributed Denial-of-Service (DDoS) attack is when multiple attacking machines attempt to overwhelm the victim machine(s)

Often DDoS attacks are used as smokescreen

  • Other attacks take advantage of the confusion to sneak through under the radar

Indicators of a DDoS attack

Multiple different factors can point to a DDoS attack:

  • Unavailability of websites

  • Slow network performance

  • Failover

  • Back-end systems operating at maximum capacity

  • Overload of network security systems (SIEM, IPS/IDS)

  • Unanticipated server availability

    • No pending updates or scheduled reboots

Hunting for DDoS activity

If you suspect that a DDoS attack is occurring, netstat is a useful tool

Typing netstat -an on the webserver will show the current connections to the server

IP addresses connected to many different ports may be an indication of a DoS attack

If you don't want to comb through the netstat result, you can use the following to see what IPs are connecting to your server and how connections each has:

netstat -anp | grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

Multiple IP addresses connected to multiple ports is a likely sign of a DDoS attack

PreviousDNS abnormalitiesNextHunting for suspicious domains

Last updated 9 months ago