Page 16 - Cyber Warnings
P. 16
We can see that the UDP traffic is being sent to multiple ports, and it’s obvious that we’re
experiencing a DNS redirection/amplification attack occurring on port 53, with a lot of port 0
UDP packet fragments being generated as collateral traffic.
Is There Something Underneath This Volumetric Attack?
So far we’ve gotten a lot of insight into the details of the DDoS attack from full NetFlow details.
But is this volumetric DDoS the main event, or are we being distracted from looking for other,
less obvious threats? We can see a lot of packets being sent to port 4444 (green line in graph).
Port 4444 is the UDP port for the Kerberos service, and is — at least for Windows machines —
a well-known target for buffer overflow attacks, often used to insert trojans such as Hlinic and
Crackdown.
So, there are potentially two types of attacks going on in parallel: a DDoS attack and a buffer
overflow trojan insertion. Many security blogs and publications note that DDoS attacks are often
used to obfuscate other exploits. This may very well be an example of that technique.
Getting a Handle on Attack Mitigation
Characterizing the attacks leads us to mitigation. One way is to take the attack traffic and group
it by /24 source network addresses:
16 Cyber Warnings E-Magazine – August 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
