Imperva Cyber Community

communities_1.jpg
 View Only
  • 1.  characteristic and pattern from dns flood and http flood

    Posted 12-09-2019 07:51
    What is characteristic and pattern from dns flood and http flood if I analyze with WireShark?
    #AttackAnalytics

    ------------------------------
    Alief BS
    ------------------------------


  • 2.  RE: characteristic and pattern from dns flood and http flood

    Posted 12-09-2019 08:14
    Hi Alief,
    DNS flood are done by either sending a lot of DNS requests, generally using bogus, randomly generated subdomains, e.g. axktntw,domain.com, xmgds.domain.com, etc. or by using the more efficient "reflection" method, which will overwhelm your server with responses to requests that weren't made by you at all. This method is also used with the NTP protocol.


    Reflection attacks

    The attacks abuse a feature of a UDP based protocol where a small request triggers a large response. DNS and NTP have certain features that allow this type of abuse.

    Spotting reflection attacks

    • Locate DNS/NTP responses for which your system never send a request. udp.srcport == 53 or udp.srcport == 123 would be the proper display filters
    • The response can easily exceed the maximum size of an Ethernet frame. Look out for IP fragmentation. A number of display filters will help. ip.frag_offset > 0 is one of them.
    • Please note, that the IP continuation packets will not hold the UDP port numbers. Wireshark supports IP fragment reassembly, so that the total message will be dissected.


    HTTP flood are made at the application layer

    Most web servers have a search function, user registration dialog or similar function, that triggers a lengthy response in the backend. An attacker can identify suitable targets by examining the HTTP response time. Some websites can be brought down by a surprisingly small number of parallel HTTP requests that trigger searches, process log on data or the check out process in a web store.

    Spotting layer 7 attacks

    • Your best bet is the web server's log file, especially if you are using HTTPS. (You hopefully use SSL, don't you?) Try to spot frequently called URIs in the log file.
    • Look out for user agents that indicate automated access. Among the candidates are wget or curl.
    • If you have access to unencrypted traffic, try create a separate profile and add columns for the user agent http.user_agent and for the URI http.request.uri
    • Check if HTTP requests come with a referrer, where it is reasonable to expect them. Access to the check-out function in a web store without a referrer would be odd. Add http.referer as another column.


    Source: Wireshark Questions page

    I hope you find this information useful.



    ------------------------------
    Ziv Leyes
    Senior Technical Account Manager
    Imperva


    "Thou shalt not covet
    thy neighbor's WiFi"
    ------------------------------