Threat hunting

Threat Hunting for DDoS Activity and Geographic Irregularities

Greg Belding
July 21, 2018 by
Greg Belding


So there you are, sitting at your desk at the organization where you work as an information security professional. You are performing your usual monitoring duties when you notice that you have a high volume of network traffic coming from a part of the world that your organization does not do business with. This activity has generated multiple failed login attempts. Additionally, you notice that this activity has been coming from Romania, and some DNS requests are coming from domains with a .ru suffix. What should you do?

This article will detail threat hunting for DDoS and geographic irregularities. By the end of this article, you will know what to do about the question above.

Become a certified threat hunter

Become a certified threat hunter

Learn how to find, assess and remove threats from your organization — and become a Certified Cyber Threat Hunting Professional, guaranteed!

What is a DDoS?

DDoS stands for distributed denial of service, and the purpose of a DDoS attack is an attempt to make a network, machine or resource unavailable. Generally speaking, DDoS attacks are smokescreens that hide other, far more serious threats. DDoS attacks operate by disabling communication services or by flooding the target machine with excessive requests to overload the system. Either way, the goal is to take the machine out (at least for a period of time).

How Common are DDoS Attacks?

DDoS attacks are considered some of the biggest cybersecurity threats to organizations in the world today. Half of all organizations today have been victims to DDoS attacks. 42% of organizations hit by DDoS attacks report that they were hit multiple times. In 2014 alone, it was reported that an average of 28 DDoS attacks per hour were occurring. This number is likely to be far higher today. By taking these facts to mind, you can start to see how serious DDoS attacks can be.

Indicators of Compromise

Indicators of Compromise, or IoCs, are network diagnostics representing forensic evidence or attacker activity. IoCs indicate if a threat is imminent or has already proven successful, and they normally come by way of network diagnostics or attacker activity tracks (such as changing an administrator password). IoCs are the proverbial breadcrumbs that information security professionals can follow as early as possible into the breach/attack.

While IoCs are diverse and numerous, information security professionals generally focus on a list of 10 to 15 of them. With regard to this article, both DDoS attacks and geographic irregularities are considered to be IoCs and are taken seriously by information security professionals.

DDoS as an Indicator of Compromise

As mentioned earlier, DDoS activity is typically used as a cover for more serious threats. Signs of DDoS activity on your network include unavailability of websites, slow network performance, failover of your firewall and back-end systems such as file servers unexplainably operating at max system capacity. DDoS activity also normally overloads network security solutions, such as SIEM and IPS/IDS systems.

If DDoS activity is detected, follow the trail of IoCs left on your network’s logs and see where they take you. Usually, signs of DDoS activity will at the very least hint at the the higher-level attack that the cybercriminals have possibly orchestrated against your network.

How To Threat-Hunt DDoS Attacks

DDoS attacks leave tracks that are easy to spot. One obvious thing that happens when DDoS attacks hit your environment is one of your servers will go down. If you have a server that crashes when there are no pending Windows Updates or scheduled restart, then you may be under attack

Another clue is if a server’s services become too slow for production. Examples include taking 5-10 minutes to load a page or submit a form. When this happens, investigate by opening up a command prompt and typing “netstat -an.” If you are not under attack, you will see different IP address connected to different ports, which is completely normal. If it is under attack, you will probably see one IP address connected to multiple ports, possibly even all of them.

If you don’t want to comb through the netstat result, you can use the following to see what IPs are connecting to your server and how many connections each has:

netstat -anp |grep 'tcp|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

Either way, if you encounter an IP address connected to multiple ports, then you know you have a DDoS attack on your hands.

Geographic Irregularities as an Indicator of Compromise

Geographic irregularities are another form of IoC that information security professionals generally rely on when threat hunting. Regardless of the level of user account targeted, geographical irregularities in account logins and network/resource access patterns can provide evidence that the cybercriminals responsible for the attack are likely in another country (possibly one that has more-lenient hacking laws).

According to Dodi Glenn, director of security content management for ThreatTrack Security, “Connections to countries that a company would normally not be conducting business with [shows that] sensitive data could be siphoned to another country."

Aside from the obviousness of access patterns and login attempts from far-flung places on Earth, the frequency of these attempts need to be taken into consideration during the investigation. If multiple different IP addresses target an account in a short period of time, then it is probable that it is a threat attempting to take hold in your network. What is most likely going on when this happens is that the cybercriminals have a compromised set of credentials to your network, and that they are trying to access data systems. By following the tracks of this geographically-irregular activity, information security professionals can get a better idea of the machines being targeted.

Once this part of the investigation has been completed, the offending IPs should be added to your organization’s blacklist of offending IP addresses. If the attacks are severe enough, you could consider sending the offending IP addresses to black holes by using Nullroute IP route commands. Regardless of the method of eradicating these threats, they need to be investigated and taken care of as soon as possible to minimize harm to your data environment.

How to Threat Hunt Geographic Irregularities

The best way to threat hunt geographic irregularities is to use an IP lookup tool. There are many online you can use, some are free, and some are paid services where the service will let you know everything down to the street address of the IP. This sort of detail is not always needed, as the free services will tell you at least the country that the IP address is from.

For example, Ultra Tools WHOIS lets you know the country that the IP address is from. Simply add the suspect IP address into the search bar and click Go. If the IP address is from a country that you do not do business with, then it should be investigated as a possible indicator of attack.


Indicators of Compromise and Attack, Sage Advice

10 Things You May Not Know About DDoS Attacks, But Should, FlowTraq

Threat Hunting: Common Attack Vectors and Delivery Channels, Sage Advice

Top 15 Indicators of Compromise, Dark Reading

How to Detect and Analyze DDoS Attacks Using Log Analysis, Loggly

Become a certified threat hunter

Become a certified threat hunter

Learn how to find, assess and remove threats from your organization — and become a Certified Cyber Threat Hunting Professional, guaranteed!

WHOIS IP Lookup Tool, neustar

Greg Belding
Greg Belding

Greg is a Veteran IT Professional working in the Healthcare field. He enjoys Information Security, creating Information Defensive Strategy, and writing – both as a Cybersecurity Blogger as well as for fun.