Denial-of-Service (DoS) Attack forensics has several motivations. When under attack, this process is important to identify the attacker and safely distinguish it from legitimate traffic, and in turn to accurately employ various mitigation techniques to block it. After the attack is over, forensic is important for our customers to understand the attack origin, motivation, preparation for a second strike, and as a basis for legal actions. Our research team values forensic as a research tool that improves our understanding of the DoS attack world.
In some cases forensics is easy, for example, if the attacker uses a known tool such as the old JUNO then it is easy to detect it with a signature. The signature is based on its known and unique characteristics, and the logs of the signature will bring the list of IPs that attacked you.
In other cases this is far less easy – it is hard to confidently say that one IP is an attacker and another IP is legitimate. In HTTP floods, attackers’ ambition is to mimic legitimate traffic. We see attacks in which each attacker sends only few requests per second (less even than a legitimate one), the HTTP request is complete, URLs are randomized, and on top of all of that, there is more than just one attack vector. When attacking traffic and legitimate traffic blends together, the isolation process becomes a headache.
In one of the cases Radware recently handled, we encountered this exact difficulty but found an interesting way to overcome it. In short, the idea is to find an Archimedean Point – a small list of attackers that you are absolutely certain about, and then setup mutual parameters to gradually gain more confidence and increase the list.
In this attack, from the beginning we noticed that many of the HTTP requests had an HTTP Header “Accept-Language“ set with “zh-cn” indicating that browsers support Traditional Chinese. This can sometimes suggest an attack, but we need more information to confirm that because perhaps the website simply has a large Chinese speaking user base.
We then turned to a different parameter – we saw that some of the IPs that appeared during the attack came from the same network. In fact, when we sorted them, we saw that they were nearly consecutive and that a whole network range participated in the attack. Apparently the attacker gained access to a whole network range and utilized it in this attack. Now we were certain, the traffic coming from this network range with consecutive IPs cannot be legitimate, and we compiled the first list of attackers. It was small one, but it had a high confidence rate.
Then we noticed that there were additional network ranges that participated in the attack. They were not as bold and obvious as the first one, but since we already knew that attacker proved himself to utilize a whole network range, we felt confident the other ones were also malicious. Our attacker list then becomes bigger.
We still had many IPs that used the Traditional Chinese, but did not belong to an infected network. So how do we separate the malicious ones as well? It was actually rather easy: since all the already confirmed attackers used Traditional Chinese we reasonably deduced that all or most of the other ones are attackers as well. Our attacker list becomes bigger again, until complete.
This process modestly follows Sherlock Holmes footsteps in two aspects: first of all, in the forensic process you need to remember not to jump to conclusions, and the second one is carefully examine the evidence and deduce from the first small conclusion to the next bigger one.
Ziv Gadot is Senior Security Researcher for Radware and manages Radware’s Security Operations Center (SOC) , a unit performing analysis and research on DDoS related subjects and the Emergency Response Team (ERT), a 24/7 service intended to assist organizations under DDoS attacks on a daily basis. Mr. Gadot joined Radware in 2003 and is actively involved in security research and service strategy.