Do you need this answer to investigate an ongoing attack or is this a question for some university assignment?
In case of an ongoing attack I suggest that you hire a consultant or (depending on the scale) even bring in a whole incident respone team.
Malicious traffic can manifest itself in a number of ways:
- Distributed Denial of Service Attacks (DDoS) can come with any type of packet.
- Most efficient are unsolicited DNS and NTP responses. This would be a "reflection attack"
- Other attacks use ICMP, HTTP or HTTPS traffic
- Poorly written web applications can be overwhelmed with a surprisingly small number of HTTP or HTTPS requests: If a certain transaction, say a complex database query, keeps the server busy for several hundred milliseconds or longer
Analysis: Often DDoS attacks target one destination IP address. Look out for top receivers in the conversation statistics.
A port scan uses literally every TCP and UDP port.
- A full port scan sends 64 k Packets TCP and UDP
- Variations limit themselves to about 1'000 common services.
- Another malicious operation is "OS fingerprinting". It looks similar to a port scans, but uses still less packets to identify the operating system.
Analysis: Find the system that is accessing a ton of different TCP and UDP ports
A good hacker who is executing a well planned attack would blend in with the routine traffic.
- You will see "Comand and control traffic" (C2 for short) when a compromised computer receives a command or uploads stolen data.
- Another part is the internal attack traffic, which often uses completely different protocols.
- Both parts can be easy spot (say, an internal port scan) or very well camouflaged, if the attacker is blending in with HTTPS traffic from thousands of users.
- Analysis: This requires some experience in network analysis. An Intrusion Detection System (IDS) is highly recommended. You use SNORT or SURICATA to parse the trace file and look for malicious activity.
- A good start is Christian Landströms talk on APT traffic from the last Sharkfest EU conference.
If you have a suspicious trace file you can probably upload it for review by someone in the community.
answered 05 Nov '16, 07:01
accept rate: 8%