Situation Two

DDoS Attack

This situation deals with a DDoS attack on a company. Your goal is to analyze the victim’s logs, find which IP addresses are bots, serve legal processes, and identify the perpetrator(s). Once you do, establish a Pen Register Trap and Trace (PRTT) on a bot to identify IRC port/C&C IP, serve legal process on C&C IP, and identify the perpetrator.

Scroll down to start the activity.

01

Introduction

A company recently experienced a Distributed Denial of Service (DDoS) Attack on their servers. They are still trying to find out how to stop it. You are being sent out to help them with incident response. Look through their logs and try to find IP addresses that could be bots. Once you do, take steps to set up firewall rules to block them from accessing the company’s servers, and then go through the process of getting a Pen Register Trap and Trace warrant to find the C2 (Command and Control Server).

02

Glossary

When searching for the culprits of a DDoS Attack, it is important to understand the infrastructure and systems behind it. Some of key terms are highlighted below.

DDoS
  • This is an attack that generally uses a series of bots or hijacked computers to send high amounts of traffic to a site or company’s servers to shutdown the ability to access it.
  • These attacks can shutdown crucial sites like healthcare, banking, and more. Understanding who is attempting to DDoS Servers is crucial to preventing future attacks.
  • Pen Register Trap and Trace (PRTT) warrants allow law enforcement to follow internet traffic and sources upstream to find who is running them. This is crucial for finding culprits in DDoS Attacks.
  • Pen Register Trap and Trace (PRTT) warrants often allow law enforcement to find C2 Servers, which are explained below.
  • Command and Control Servers (C2 Servers) are normally the brains of DDoS attacks, as well as other attacks. They are what malicious actors’ tools, like bots, report back to.
  • Command and Control Servers (C2 Servers) are commonly used for DDoS attacks as an intermediary step to send commands to the bots, but they can also be used for data theft, network shutdowns, and more.
  • Firewalls are a crucial part of company and personal security. Firewalls generally work on the premise of firewall rules, which are rules and filters in place to block certain people, IP addresses, countries, and more.
  • Once you find the bots, you can suggest firewall rules to prevent them from accessing or performing DDoS attacks.
  • IP addresses are relatively unique identifiers for systems connected to the internet. They are important for attributing behavior within a certain time to an actor online.
  • IP resolution is the process of taking an IP and getting information back on who owns it, who it is assigned to, the location, and more.
  • IP ports are different options when connecting to an IP address. Generally, each port hosts a different service, and you can search to find what service is hosted on which port.
  • IP port 80 is normally for HTTP servers or websites.
03

Company Security Logs

Src IPSrc PortDest IPDest PortDateTime (UTC)
104.238.58.515894373.125.150.1318012/16/202114:01:36
5.53.0.1505896973.125.150.1318012/16/202114:01:36
165.78.85.615905073.125.150.1318012/16/202114:01:37
159.128.86.245907573.125.150.1318012/16/202114:01:38
98.2.211.945911673.125.150.1318012/16/202114:01:39
5.53.0.1505914573.125.150.1318012/16/202114:01:40
185.212.168.1675916373.125.150.1318012/16/202114:01:40
159.128.86.245922573.125.150.1318012/16/202114:01:41
165.78.85.615926573.125.150.1318012/16/202114:01:41
185.212.168.1675928573.125.150.1318012/16/202114:01:41
5.53.0.1505929873.125.150.1318012/16/202114:01:42
98.2.211.945936973.125.150.1318012/16/202114:01:43
104.238.58.515946673.125.150.1318012/16/202114:01:44
165.78.85.615948773.125.150.1318012/16/202114:01:45
159.128.86.245949273.125.150.1318012/16/202114:01:45
5.53.0.1505949673.125.150.1318012/16/202114:01:46
217.145.48.2035952773.125.150.1318012/16/202114:01:47
159.128.86.245952973.125.150.1318012/16/202114:01:48
98.2.211.945952973.125.150.1318012/16/202114:01:49
185.212.168.1675957473.125.150.1318012/16/202114:01:50
165.78.85.615963073.125.150.1318012/16/202114:01:50
159.128.86.245971973.125.150.1318012/16/202114:01:51
5.53.0.1505973573.125.150.1318012/16/202114:01:52
185.212.168.1675982973.125.150.1318012/16/202114:01:54
104.238.58.515987473.125.150.1318012/16/202114:01:54
98.2.211.945995873.125.150.1318012/16/202114:01:55
159.128.86.246002873.125.150.1318012/16/202114:01:56
185.212.168.1676012273.125.150.1318012/16/202114:01:57
159.128.86.246016773.125.150.1318012/16/202114:01:57
5.53.0.1506018673.125.150.1318012/16/202114:01:58
98.2.211.946027673.125.150.1318012/16/202114:01:59
165.78.85.616031473.125.150.1318012/16/202114:02:00
5.53.0.1506032573.125.150.1318012/16/202114:02:01
159.128.86.246041873.125.150.1318012/16/202114:02:03
185.212.168.1676050873.125.150.1318012/16/202114:02:03
5.53.0.1506055973.125.150.1318012/16/202114:02:03
104.238.58.516059573.125.150.1318012/16/202114:02:04
217.145.48.2036059873.125.150.1318012/16/202114:02:05
165.78.85.616069173.125.150.1318012/16/202114:02:06
159.128.86.246071673.125.150.1318012/16/202114:02:07
185.212.168.1676071773.125.150.1318012/16/202114:02:08
104.238.58.516073273.125.150.1318012/16/202114:02:09
5.53.0.1506078173.125.150.1318012/16/202114:02:10
217.145.48.2036086473.125.150.1318012/16/202114:02:11
165.78.85.616091773.125.150.1318012/16/202114:02:12
185.212.168.1676101173.125.150.1318012/16/202114:02:13
98.2.211.946104373.125.150.1318012/16/202114:02:14
104.238.58.516111473.125.150.1318012/16/202114:02:16
217.145.48.2036113973.125.150.1318012/16/202114:02:16
98.2.211.946119073.125.150.1318012/16/202114:02:16
5.53.0.1506121173.125.150.1318012/16/202114:02:17
165.78.85.616131173.125.150.1318012/16/202114:02:18
104.238.58.516136273.125.150.1318012/16/202114:02:20
185.212.168.1676144473.125.150.1318012/16/202114:02:20
98.2.211.946144973.125.150.1318012/16/202114:02:20
165.78.85.616150173.125.150.1318012/16/202114:02:20
5.53.0.1506154473.125.150.1318012/16/202114:02:20
217.145.48.2036159473.125.150.1318012/16/202114:02:21
159.128.86.246167673.125.150.1318012/16/202114:02:22
185.212.168.1675957473.125.150.1318012/16/202114:02:23
165.78.85.615963073.125.150.1318012/16/202114:02:24
159.128.86.245971973.125.150.1318012/16/202114:02:24
5.53.0.1505973573.125.150.1318012/16/202114:02:24
185.212.168.1675982973.125.150.1318012/16/202114:02:24
104.238.58.515987473.125.150.1318012/16/202114:02:25
98.2.211.945995873.125.150.1318012/16/202114:02:25
159.128.86.246002873.125.150.1318012/16/202114:02:26
185.212.168.1676012273.125.150.1318012/16/202114:02:26
159.128.86.246016773.125.150.1318012/16/202114:02:26
5.53.0.1506018673.125.150.1318012/16/202114:02:27
98.2.211.946027673.125.150.1318012/16/202114:02:28
165.78.85.616031473.125.150.1318012/16/202114:02:28
5.53.0.1506032573.125.150.1318012/16/202114:02:28
159.128.86.246041873.125.150.1318012/16/202114:02:28
185.212.168.1676050873.125.150.1318012/16/202114:02:28
5.53.0.1506055973.125.150.1318012/16/202114:02:29
104.238.58.516059573.125.150.1318012/16/202114:02:29
217.145.48.2036059873.125.150.1318012/16/202114:02:29
165.78.85.616069173.125.150.1318012/16/202114:02:30
159.128.86.246071673.125.150.1318012/16/202114:02:31
185.212.168.1676071773.125.150.1318012/16/202114:02:32
104.238.58.516073273.125.150.1318012/16/202114:02:32
5.53.0.1506078173.125.150.1318012/16/202114:02:33
217.145.48.2036086473.125.150.1318012/16/202114:02:33
165.78.85.616091773.125.150.1318012/16/202114:02:33
185.212.168.1676101173.125.150.1318012/16/202114:02:34
98.2.211.946104373.125.150.1318012/16/202114:02:34
104.238.58.516111473.125.150.1318012/16/202114:02:34
217.145.48.2036113973.125.150.1318012/16/202114:02:34
98.2.211.946119073.125.150.1318012/16/202114:02:34
5.53.0.1506121173.125.150.1318012/16/202114:02:34
165.78.85.616131173.125.150.1318012/16/202114:02:35
104.238.58.516136273.125.150.1318012/16/202114:02:35
185.212.168.1676144473.125.150.1318012/16/202114:02:35
98.2.211.946144973.125.150.1318012/16/202114:02:36
165.78.85.616150173.125.150.1318012/16/202114:02:36
5.53.0.1506154473.125.150.1318012/16/202114:02:37
217.145.48.2036159473.125.150.1318012/16/202114:02:37
159.128.86.246167673.125.150.1318012/16/202114:02:37
159.128.86.246167673.125.150.1318012/16/202114:02:38
 
Click Here to Show the Complete Table
04

Finding Unique Data

It is beneficial to limit the data to focus on the unique IP addresses since these are the ones of interest. Analyzing the data, there seem to be several that are sending requests every few seconds. This could indicate a bot that is part of the DDoS attack. The image gallery below shows an example of filtering the data down into more easily understandable and readable chunks.
Excel Sheet
05

Actions to be Taken

Now that you have an IP address within the US, you could get a warrant or a subpoena to get more information on the owner of that IP address and, therefore, who was attacking the company’s systems. In the meantime, you can create firewall rules to stop any more attacks from that IP address.

06

Firewall Rules

The following is a non-exhaustive list of possible firewall rules to block VPN traffic and limit potential attacks. It is worth noting that, while specific ports are given below, it is a good idea to block access to any ports that are not in regular use or above 1000 in most cases.

OpenVPN
  • You can block OpenVPN’s common port to ensure that one of the most common VPN foundations is disrupted. This is on port 1194 TCP/UDP.
  • Blocking Point to Point Tunneling Protocol (PPTB) also cuts down on the possible attack methods. This is on port 1723 TCP/UDP.
  • Layer 2 Tunneling Protocol (L2TP) is another possible form of entry for attackers that we can block. This is normally on port 1701 UDP.
  • Secure Socket Tunneling Protocol (SSTP) is another attack surface. This is normally on port 443 TCP.
  • Another possible method for the attacker. This is normally on ports 1293 TCP/UDP or 500 TCP/UDP.
  • This is normally on port 500 TCP/UDP.
  • This is normally on port 4500 UDP.
  • SOCKS is commonly used by the Onion Protocol on the Darknet and for other means of obscuring. This is normally on port 1080 TCP.

Situation Two

DDoS Attack Quiz

Take the Quiz