DDoS Traffic Analysis Techniques for SOC Teams
A 60-minute DDoS attack could be launched with just $5 as per pricing on the Dark Web, and this was reduced from $15 in 2021. Unlike advanced attacks such as bot or zero-day attacks, these could be launched by hiring bandwidth on any of the ‘DDoS as a service’ websites.
No wonder even Gartner calls out DDoS as one of the biggest threat vectors for security teams worldwide.
DDoS attacks are debilitating, and the unavailability of applications can lead to lose revenue and unnecessary costs incurred in restoring operations. Many studies have pegged this number to range from a couple of hundred thousand dollars to upwards of a million dollars.
That said, acting quickly can prevent many of these problems, and analyzing DDoS attack traffic is critical.
While DDoS attacks such as SYN-flood can also affect the network layer, this blog is focused on how the Security Operations Center (SOC) teams could analyze application layer-level DDoS attacks.
Domain or Host Based Traffic
The first data point that could point to a DDoS attack is the overall traffic that your top-level domain (TLD) or fully qualified domain (FQDN) is experiencing.
While seasonality can play a big role in this, it is good to have data on seasonality so that these outliers are considered while analyzing DDoS traffic.
The next step is understanding a weekly average. As users and site visits grow over a period of time, understanding what the weekly average is makes sure that your analysis captures the legitimate traffic that your site is getting.
As a thumb rule, a SOC team’s analysis should ideally start once the site traffic is 2X the weekly average.
Traffic on URI
Once you understand that a DDoS attack might be happening, the next step is to understand which parts of the application are being targeted by the hackers.
In the case of web and API applications, this can be found by analyzing the traffic on URIs. Like the analysis on the domain, SOC teams will need to understand the weekly averages of traffic per URI.
For example, understanding how many times a forgot password is usually accessed per minute will make it easier to mitigate attacks on the forgot password page.
Traffic per IP
The next step is to understand the user-level information. Having an idea of “how many users(unique IPs) visit my website”, “how many users visit my site from a unique IP,” and “how many times they visit every day” will give insights on mitigating DDoS attacks.
Even within this, further segregation of IP data with cookies and without cookies is important as that gives an understanding of traffic by humans vs APIs.
Traffic per Country
Geopolitics necessitates understanding site traffic from a given country. As discussed previously, it is always better to understand that as weekly averages.
When sponsored by governments, these attacks can be very tough to mitigate as the attacks will be at a much larger scale. That said, a recommended best practice is to whitelist only specific geographies or countries for any given application, as most applications are local in nature.
Do keep in mind that attacks can be launched from outside the country’s borders, so this is not 100% foolproof, but it is valuable data for SOC teams, nevertheless.
Combinations of These Parameters
The real power of analysis lies in combining these parameters to get data such as:
- How many users access the forget password page each day?
- How many API requests come from <country X> each day?
- How many unique users access the forgot password page each day from <country X>?
Once the SOC team is empowered with this data, it is easy to employ mitigation policies such as tarpitting, CAPTCHA, or blocks by enforcing rate limits as per the standard user behaviour on any website or API.
That said, getting this data will require a lot of log analysis. Therefore, it is always better to use a WAAP like AppTrana, where this data is available in the dashboard, and mitigation is mostly automated. Learn more about DDoS mitigation on AppTrana WAAP on this link.
Stay tuned for more relevant and interesting security updates. Follow Indusface on Facebook, Twitter, and LinkedIn