Characterize the DDoS Attack

Actions

1. 1

   Determine attack layer from traffic telemetry: L3/L4 (SYN flood, UDP flood, ICMP flood) shows high pps and bps with repetitive small packets; L7 shows HTTP/HTTPS request spikes with plausible-looking requests but abnormal sources or patterns.

2. 2

   Identify the specific vector: SYN flood, UDP amplification (DNS, NTP, Memcached, SSDP, CLDAP), TCP reflection (RST, ACK), HTTP flood, Slowloris, application-layer cache-buster, search-expensive query flood.

3. 3

   Measure magnitude: peak pps, peak bps, peak RPS for L7; compare to baseline and to provider-side capacity to determine if upstream scrubbing is required.

4. 4

   Identify the source profile: botnet distribution (many low-throughput IPs), reflector set (many amplifying servers with specific ports), single-region spike, specific ASN concentration.

5. 5

   Identify targeted asset: single URL/endpoint under L7 attack points to application-layer targeting; whole IP under L3/L4 is a volumetric flood.

6. 6

   Cross-check with provider dashboards (Cloudflare, Akamai, AWS Shield, Fastly) and ISP NOC for corroborating data.

Queries

index=netflow earliest=-1h | stats sum(bytes) as bytes sum(packets) as packets by src_ip, dst_port | sort -packets | head 100

index=proxy sourcetype=nginx earliest=-1h | stats count dc(uri_path) as distinct_paths by src_ip | where count > 1000 and distinct_paths < 5

DNSlogs | where Timestamp > ago(1h) | where QueryType == "A" and ResponseSize > 500 | summarize cnt=count() by QueryName | where cnt > 100

Notes

Where to Go Next

Related Resources