Table of Contents
What is a DDoS attack?
DDoS (or Distributed Denial of Service) attacks are now among the easiest and the most popular attacks used by cybercriminals. Their aim is to paralyse the network infrastructure or applications by sending a huge number of data packets to the victim’s network.Distributed Denial of Service attacks require the use of thousands of devices arranged in groups known as botnets. Quite often, DDoS attacks result not only in financial losses related to the interruption of certain services or the cost of paying a ransom for stopping the attack, but also in damages to the organisation’image.
DDoS and MITRE ATT&CK
In one of the most popular security frameworks,MITRE ATT&CK, described in our article:”ATT&CKMITRE as an effective method of defence against cyber threats” DoS threats are included in the Impact tactic category. This tactic covers techniques used by cybercriminals to interrupt availability or compromise integrity by manipulating business and operational processes. Figure 1 shows part of the MITRE threat matrix with DoS attack techniques marked in red.
Netflow is one of the sources of data that enable detection of DoS threats, as shown in the brief description of threats in Figure 2.
Conclusion
The monitoring of individual network attributes is very important not only for detecting but also for analysing the network traffic pattern during attacks. Each Incident Handler should have a Network Visibility system in their arsenal to be able to analyse the network characteristics as well as the anomalies and security threats from the perspective of the organisation as a whole. DoS attacks are among the security threats that can lead to very serious consequences for the organisation. Network flow monitoring is an excellent method of detecting these attacks as it is particularity effective for volumetric and protocol attacks. Volumetric attacks that saturate the victim’s bandwidth are mainly characterised by the bps (bytes per second) parameter. The pps (packets per second) attribute is the key indicator used for detecting protocol attacks that result in the saturation of the capacity of communication interface devices. Therefore, network parameters transmitted over Netflow are an important source of data used to detect not only network anomalies but also security threats, such as DoS or DDoS.
FAQ
DDoS (or Distributed Denial of Service) attacks are popular methods used by cybercriminals to paralyze network infrastructure or applications by sending a huge number of data packets to the victim’s network. They often result in financial losses and damages to the organization’s image.
NetFlow provides data that is crucial for detecting DoS threats. It is particularly effective for identifying volumetric and protocol attacks.
In the MITRE ATT&CK framework, DoS threats are included in the Impact tactic category, which covers techniques used to interrupt availability or compromise integrity.
Volumetric attacks saturate bandwidth and are characterized by the bps (bytes per second) parameter, while protocol attacks affect communication interfaces and are indicated by the pps (packets per second) attribute.
Network visibility is crucial for analyzing network characteristics, anomalies, and security threats during DDoS attacks, helping in both detection and analysis.
