September 5, 2023

Can network flow monitoring be important source of data for detecting DoS attacks?

Each Incident handler should have a Network Visibility system in their arsenal to be able to analyse the network characteristics.

The monitoring of individual network attributes is very important not only for detecting but also for analysing the network traffic pattern during attacks. Each Incident handler should have a network visibility system in their arsenal to be able to analyse the network characteristics as well as the anomalies and security threats from the perspective of the organisation as a whole. DoS attacks are among the security threats that can lead to very serious consequences for the organisation. Network flow monitoring is an excellent method of detecting these attacks as it is particularity effective for volumetric and protocol attacks.

What is a DDoS attack?

DDoS (or Distributed Denial of Service) attacks are now among the easiest and the most popular attacks used by cybercriminals. Their aim is to paralyse the network infrastructure or applications by sending a huge number of data packets to the victim’s network.Distributed Denial of Service attacks require the use of thousands of devices arranged in groups known as botnets. Quite often, DDoS attacks result not only in financial losses

related to the interruption of certain services or the cost of paying a ransom for stopping the attack, but also in damages to the organisation’image. These risks apply to all sectors of the economy

DDoS and MITRE ATT&CK

In one of the most popular security frameworks,MITRE ATT&CK, described in our article:"ATT&CKMITRE as an effective method of defence against cyber threats" DoS threats are included in the Impact tactic category. This tactic covers techniques used by cybercriminals to interrupt availability or compromise integrity by manipulating business and operational processes. Figure 1 shows part of the MITRE threat matrix with DoS attack techniques marked in red.

Figure 1: Categories od DoS threats in MITRE ATT&CK (Source: https://attack.mitre.org)

Netflow is one of the sources of data that enable detection of DoS threats, as shown in the brief description of threats in Figure 2.

Figure 2: NetFlow as a source of data used to detect Endpoint DoS and Network DoS tactics

Conclusion

The monitoring of individual network attributes is very important not only for detecting but also for analysing the network traffic pattern during attacks. Each Incident Handler should have a Network Visibility system in their arsenal to be able to analyse the network characteristics as well as the anomalies and security threats from the perspective of the organisation as a whole. DoS attacks are among the security threats that can lead to very serious consequences for the organisation. Network flow monitoring is an excellent method of detecting these attacks as it is particularity effective for volumetric and protocol attacks. Volumetricattacks that saturate the victim’s bandwidth are mainly characterised by the bps (bytes per second) parameter. The pps (packets per second) attribute is the key indicator used for detecting protocol attacks that result in the saturation of the capacity of communication interface devices. Therefore, network parameters transmitted over Netflow are an important source of data used to detect not only network anomalies but also security threats, such as DoS or DDoS.

Get a monthly dose of blog posts, tips and tricks

Sign-up for the newsletter and be updated about Sycope.

Sign-up for the newsletter
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.