4

I just read this article from loggly (https://www.loggly.com/blog/how-to-detect-and-analyze-ddos-attacks-using-log-analysis/), and it got me wondering.

The author states that under a DDoS attack, netstat output on attacked server would show something like this:

TCP 192.168.2.104:00 216.35.50.65:60973 TIME_WAIT
TCP 192.168.2.104:00 216.35.50.65:60974 TIME_WAIT
TCP 192.168.2.104:00 216.35.50.65:60975 TIME_WAIT
TCP 192.168.2.104:00 216.35.50.65:60976 TIME_WAIT
TCP 192.168.2.104:00 216.35.50.65:60977 TIME_WAIT
TCP 192.168.2.104:00 216.35.50.65:60978 TIME_WAIT
TCP 192.168.2.104:00 216.35.50.65:60979 TIME_WAIT
.
.
.

Can anyone explain to me why would this happen? Since its a DDoS attack, shouldn't it have connections from several different IPs from botnet?

korrigan
  • 400
  • 2
  • 12
cryptow
  • 151
  • 5

2 Answers2

2

Great question. The answer is, maybe.

There are multiple reasons why an internal host might see 1 IP in place of many, a big one being load balancers. Load balancers have been a problem for internal monitoring for quite some time. They act as a full proxy (typically) and basically it's impossible to tell where any connection started from because all you see is the LB IP.

To answer a separate question in here, UDP would be most common also for connections in DDOS. TCP doesn't "reflect" in the sense of if you want to pretend to be a different server and try to TCP connect, the 3rd part of the handshake won't go to you, it will go to the spoofed IP and be dropped breaking the connection.

bashCypher
  • 1,839
  • 11
  • 21
1

Read just below the image you are quoting from.

We simulated an example in a text file since we can’t get sample output from Netstat.

The takeaway from this screenshot is that the same IP is connecting to contiguous ports and the connection is timing out. We show only a handful, but a real DDoS attack should show hundreds of connections (sometimes thousands).

Nick W.
  • 214
  • 1
  • 3
  • Yes, I read it. But it is not very self-explanatory. it says it is a simulated example. So why the source is from inside network? Why source port 00? I get that maybe a reflective attack., but isnt it usually done with UDP protocol, instead of TCP? I'm just trying to find out what type of attack is this... what attack would generate such log? – cryptow Mar 14 '18 at 14:32
  • 1
    They were just trying to show you that when you look at netstat, you will see a very large amount of open/timed out connections trying to choke out all of the available ports and bandwidth. I think you are overthinking this example because you seem to have the right idea in your head. In a real world scenario you will see hundreds of different IPs, all with open connections from external sources. – Nick W. Mar 14 '18 at 14:57
  • Couldn't it be a reflective DDoS, with just one IP? – cryptow Mar 18 '18 at 13:30
  • @cryptow in netstat the first IP:port is the local one. For incoming traffic that means the destination, not the source. But remover that it’s just an example with random data. – jcaron Sep 11 '18 at 15:34