How to Trace a DDoS Attack?
A DDoS (Distributed Denial-of-Service) attack occurs when multiple systems flood the bandwidth or resources of a targeted system, usually one or more web servers. This is commonly done as an act of protest (such as in response to a country’s law or policy), although it can be done for other purposes.
Mapping Out The Possibilities
The first thing we want to do is map out the range of possibilities. There are several ways our attack could occur:
1. The traffic could be all legitimate visits from our classmates to the website we are testing. In this case, no mitigation techniques will be necessary and we can simply monitor this traffic.
2. The traffic could be a DDoS attack by someone else targeting us, such as another university or group of people who dislike us for some reason.
3. The traffic could be a DDoS attack made by us against ourselves, to simulate an attacker who accidentally attacks themselves and is trying to cover it up.
4. Finally, the traffic could be a combination of (2) and (3). In this case we will use both mitigation techniques as if we were under attack from someone else, plus the additional technique of blocking our own traffic.
To trace down whether or not we are under attack, we will use several techniques that should help us determine what is going on. These techniques include using Netflow logs, web server logs, tcpdump to capture packets and lastly routing tables.
Tools Used To Trace DDoS Attacks
The first thing we want to look at are the netflow logs. Netflow is a feature of routers which tracks where packets go in and out of the network, what protocols they use and how much traffic they have generated. The netflow logs for our router will tell us if one system is generating all the traffic or multiple systems.
TCPDUMP is a common Linux command-line tool for monitoring network traffic. It can be used to capture packets, filter them and print out important information about their content.
Our routing table will tell us the path of each packet as it moves through our system. We can use this log to determine if all our traffic is coming from one particular system or many different systems.
Web Server Logs
At the very least we should be able to see who visits our website, although this log alone may not tell us much about the attack since it could just be all legitimate requests for our webpage by people in class or other interested parties. However,
By typing traceroute in our command line, this will give us a list of all the routers between our machine and the destination. This will tell us how many hops it takes for traffic to reach its destination. For example, if there are 5 hops between you and your router at home but only 3 hops between you and your router at school, you know there is a difference somewhere and that the problem lies with your router at home.
Refer each of the following for more information :
Netflow logs are used to find the source/destination IP addresses of packets flowing through a router. These can be used to find out which hosts have been communicating with us, both inside and outside our network.
Web server logs show which sites have been accessed by our web servers, when they were last modified and so on. tcpdump is a network packet capture program, which will allow us to see the TCP headers of packets being sent by our servers.
Routing tables show all of the hosts that are currently accessible via each router, as well as how they are accessed (ie – if it was simply an Internet connection or if there were other routers in between).
- We need to see what devices are currently in our network. This can be done by calculating the subnet masks for each router and seeing how many hosts each one supports.
- We should capture packets with tcpdump to see if there is anything suspicious going on. If this turns up nothing then perhaps one of the routers is blocking it. To check this, we can use traceroute to determine if any packets are being lost in transit. If they are being blocked then that means there must be a firewall in place somewhere.
- To map out what devices are currently accessible on our network, look at the routing table information for each router. If there are hosts being inaccessible via one router but accessible via another, then this means that the first router is probably dropping packets.
- The final part is to track down which network devices are responsible for blocking our traffic. This can be done by putting a sniffer on each router and finding out which ones block our packets. You may need to find out how to do this in your course notes.
How To Stop DDoS Attacks?
Once we have determined whether or not we are under attack, we want to stop the attack if it is coming from our own network.
Inspect The Packets
First of all, let’s look at what constitutes an attack on your own machine. When you send out a packet over the Internet it goes through many different routers until it eventually gets to its destination or reaches your firewall.
If your router happens to drop that packet then it will simply be resent by your computer. This is not a form of a DDoS attack, just a plain old dropped packet.
If however you send too many packets and cause either your bandwidth or CPU usage to skyrocket, this can be considered an attack on yourself.
To find out what exactly is happening we need to capture packets with tcpdump and see how many different source IP addresses we have. If the number is over a certain threshold then it could be that you are under attack from your own machine!
Filter The Outgoing Packets
To stop this problem, all that is required is to block or filter your outgoing packet stream. This can be done by using a firewall running on your machine, by putting a packet filter on the router, or by using a network appliance such as a broadband modem with an integrated firewall.
Stopping DDoS Attacks Using TCPDUMP
Using Netflow Logs To Check IP Addresses
We can determine if we are under attack by looking at our netflow logs and seeing how many different IP addresses we have going out. If it is over a certain threshold then we know that we are most likely being attacked from our own machine.
Capturing Packets Using Tcpdump
Next, capture packets with tcpdump and determine how many unique IP addresses there are in the packets you have captured. It may be useful to analyze these using Ethereal/Wireshark as well to help determine if any machines other than your own are attacking you.
Finally, we need to determine what device is responsible for blocking our packets and stopping the DDoS attack from getting through. To do this we will need to capture packets at each router using tcpdump and then use Ethereal/Wireshark to determine what packets are being dropped by each one.
Block Outgoing Packets
Now that we have determined whether or not we are under attack and what the source of the attack is, we need to stop it from happening. Since this is a self-inflicted attack, the simplest solution is to block or filter your outgoing packets.
On a router you can do this by putting in a packet filter that blocks all unsolicited incoming and outgoing traffic. Blocking IP addresses is a great way to stop the bad packets and keep them away from your router.
Need to stop your Netgear router from getting attacked by DDoS? Check out our article. We’ve covered the different ways which you can use in great depth. [How To Stop DDoS Attacks On A Netgear Router? Articles needs to be linked here]
For computers, you can put in a software firewall that filters certain ports and protocols. Finally there are network appliances such as broadband routers with integrated firewalls which are also useful in blocking outgoing attacks.
If you are still unsure, use tcpdump to capture packets at each router and Ethereal/Wireshark to determine if any routers are dropping packets that should be reaching your machine.
Blocking or filtering your outgoing packets is one of the easiest solutions for limiting a DDoS attack that has originated from your own machine. You can use software firewalls to prevent attacks, routers with packet filters, network appliances with integrated firewalls, or if you are unsure then tcpdump can be used to determine whether or not there is an attack and whether or not routers are dropping packets.
This Way we can trace and prevent a DDoS attack and secure our network environment from Malicious attacks.