Blog :: Security Operations

Detecting DDoS Booters with NetFlow

DDoS (Distributed Denial of Service) attacks are becoming more and more common as more bad actors roam the internet. Recently, a major DDoS attack approached a crippling 1Gb/s. Almost immediately, another DDoS attack took down many tier 1 providers and services. This made large numbers of websites, even major ones like Twitter, inaccessible. Furthermore, the attack made a major impact on many people who rely on their websites for income. The goal of this blog is to empower you to mitigate these attacks by detecting DDoS booters on your network.

DDoS Booters:

DDoS as a service: most think this is a joke, but try Googling for booter websites or “network stress testing.” You will find a plethora of different tools that DDoS a victim of your choice in exchange for money. Recently, I worked with a school district that was suffering frequent DDoS attacks. Using NetFlow and IPFIX, however, we were able to track down the exact target of the DDoS and find the exact user of the bad actor who was buying/renting the DDoS Service.Detecting DDoS booters

As you have no doubt read in previous blogs, NetFlow and IPFIX are invaluable resources when it comes to tracking down a malicious attack or suspicious behavior. This is why it is important to make sure you have accurate visibility points so that you can see the traffic pass through multiple devices and scrutinize it even further. Detecting DDoS booters becomes a much simpler task.

Booter Malware Detection:

Recently, it was uncovered that many major DDoS attacks originate from hacked home routers or IoT devices. The image below demonstrates the breadth of a recent attack against a major DNS provider. Besides making sure no publicly accessible endpoint uses default login credentials, it’s wise to monitor these end points for suspicious requests and communications. Using NetFlow, we can easily set up alarms and triggers for these events to mitigate attacks and minimize data loss.IPFIX DDoS Detection

Detecting DDoS Booters with NetFlow:

Now that we have covered how “booters” contribute to DDoS attacks, you can lower your MTTK with NetFlow. First, we have security algorithms running constantly against flow data to look for these types of attack vectors. We also have a NetFlow Security Probe that is inspecting DNS requests from all endpoints on your network. These probes watch for someone reaching out to these booter domains or making odd DNS requests (indicative of malware).

DDoS attacks can be a nightmare to troubleshoot, especially if you’re the one getting hit. Using NetFlow/IPFIX will speed up investigation, so you have time for the other tasks that you are responsible for. If you have questions on how to NetFlow to troubleshoot DDoS attacks from booters, reach out to our team for a full rundown!