This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

how to detect ddos attacks on my network

0

how to detect ddos attacks on my network in purpose to reduce my internet connectivity i'm new in wireshark please answer easily as u can

asked 12 Apr '17, 07:18

isaak's gravatar image

isaak
6112
accept rate: 0%

What makes you think you are suffering a DDOS and how are you connecting to the Internet, cable modem, DSL modem, 4G wireless or something else?

(12 Apr '17, 08:47) grahamb ♦

wireless network

(12 Apr '17, 09:43) isaak

One Answer:

1

Hello Isaak

DDoS attacks come in a large variety. Here are a few of them:

Reflection attacks

The attacks abuse a feature of a UDP based protocol where a small request triggers a large response. DNS and NTP have certain features that allow this type of abuse.

Spotting reflection attacks

  • Locate DNS/NTP responses for which your system never send a request. udp.srcport == 53 or udp.srcport == 123 would be the proper display filters
  • The response can easily exceed the maximum size of an Ethernet frame. Look out for IP fragmentation. A number of display filters will help. ip.frag_offset > 0 is one of them.
  • Please note, that the IP continuation packets will not hold the UDP port numbers. Wireshark supports IP fragment reassembly, so that the total message will be dissected.

TCP SYN floods

These attacks try to fill the state table in a firewall or try to overwhelm a server's buffer. A number of techniques exists to defend against this type of attack. TCP SYN cookies are one of them.

Detecting SYN floods

  • Look out for an immense number of TCP connection requests. The proper display filter is tcp.flags.syn == 1 and tcp.flags.ack == 0
  • The server, that is under attack, will respond with a smaller number of SYN/ACKs. These can be spotted with the display filter tcp.flags.syn == 1 and tcp.flags.ack == 1
  • Try to compare the number of SYNs with the number of SYN/ACKs. As long as the numbers are identical your firewall or server is holding up.
  • Very often, the source addresses are spoofed. A good indicator of a spoofed source address is a packet with the RST bit set in response to the SYN/ACK from your server. The normal response would be a packet with just the ACK flag being set.

Attacks against layer 7 on your web servers.

Most web servers have a search function, user registration dialog or similar function, that triggers a lengthy response in the backend. An attacker can identify suitable targets by examining the HTTP response time. Some websites can be brought down by a surprisingly small number of parallel HTTP requests that trigger searches, process log on data or the check out process in a web store.

Spotting layer 7 attacks

  • Your best bet is the web server's log file, especially if you are using HTTPS. (You hopefully use SSL, don't you?) Try to spot frequently called URIs in the log file.
  • Look out for user agents that indicate automated access. Among the candidates are wget or curl.
  • If you have access to unencrypted traffic, try create a separate profile and add columns for the user agent http.user_agent and for the URI http.request.uri
  • Check if HTTP requests come with a referrer, where it is reasonable to expect them. Access to the check-out function in a web store without a referrer would be odd. Add http.referer as another column.

Geographic distribution of IP addresses

Most web sites have a distinct pattern, when users from a certain geographic region visit the site. A web site for a school or college would mostly draw traffic from local or regional IP addresses. Also, expect a few search engines and crawlers. A sudden surge in requests from rather remote locations would be an indicator of an attack.

This wireshark web site is visited by an international community. I have never seen the log files for this server. Still, I would expect over a 24 hour time window visitors from all over the world. Just looking at the log files for 10 am European time I would expect mostly European visitors, plus a few night owls from the Asian-Pacific region and a few early risers from the Americas.

A good baseline helps in spotting the attacks. Wireshark can pinpoint the location of an IP address. Check out the Wireshark Wiki for details

DDoS by Popularity

While aforementioned school web server is mostly idle, it can attract a huge surge of legitimate traffic. Expect a serious flood of traffic, if major news networks report about the school and place a link on their site. Something similar could happen, if a social media user with millions of friends or followers mentions your web site.

General hints

Some tools used for network flooding define constants in some fields in the IP or TCP header, where a certain amount of randomness can be expected. Examples are the IP ID, the DNS transaction ID, a TCP source port number or sequence number. An excessive value of packets with a constant IP ID is an indicator for a very strange IP stack or for "hand crafted" packets.

Good hunting

answered 12 Apr '17, 10:55

packethunter's gravatar image

packethunter
2.1k71548
accept rate: 8%