Cyber attacks are all the rage right now. Are you getting hit? Would you know if you were? Sifting through all the noise in the logs is tough. So how do you detect DDoS attacks? In this post I am going to show you a few things I have observed while fending off cyber attacks that might help you identify and fend them off as well. This is not a comprehensive guide by any means, just a few patterns I have been observing.

There are 2 main types of attacks I see commonly: The hot and heavy blast the site until it's down and the low and slow. The first one is extremely easy to detect because all of the sudden you are getting 10-100x your normal traffic and if you are not ready your site goes down. The second one is a bit tricker and typically requires a bit more planning on the attackers part if it is going to cause any damage. The hot and heavy is fairly easy to detect, the ip address traffic looks nothing like your current user load. Lots of times it is focused and less randomized. So this one is a walk in the park to block if you have some type of firewall in place. The low and slow is the silent killer quietly hitting strategic routes that it had crawled and found vulnerable, often time routes you didn’t even know were vulnerable.

The first step to fighting DDoS attacks is to be able to detect the malicious traffic and discern a pattern so you can block it. If you get this wrong and crank up the firewall you might end up blocking legitimate traffic.

Chances are your website gets crawled for vulnerabilities dozens of times an hour. Pretty much every ip address on the internet that has a port open gets crawled. If you have port 80 or 443 open you will likely see traffic coming in that contains URIs that definitely don’t exist on your system. Like, for example, I have a lot of custom NodeJS code that constantly has requests that look like they are aimed at a Wordpress site. That is malicious parties trying to find basic vulnerabilities. While this is not an attack you still want to block this type of behavior as soon as you can.

One thing to note is this type of traffic often goes right for the ip address as that is really easy to crawl. If you have a public domain or a domain that is easy to look up or guess with a keyword list then you will probably see them use the appropriate hostname. But if you have a long and obscure hostname and it's not publicized then typically you won't see the hostname included in the traffic. Just something to look for.

Another pattern I observed recently was to keep an eye on traffic coming from IP addresses that have lots of different User Agent headers. 1 or 2 could be a coincidence, like browsing on your phone then opening the same link on the desktop to get the full desktop experience. But 10 - 20 different User Agents would be a bit odd.

If the attacker's sophistication they might just be hitting you with a curl and not actually loading the page into a browser. This means no DOM and no JS executed client side. If you can track which IP addresses are not making secondary async http requests vs the ones that are, that would be a pretty big indicator that the ones that are not are a simple attack.

Again this is not meant to be a full guide of fighting DDoS attacks(Thought that might be fun to write). Just a few patterns I observed. If you have any tips or noticed any patterns recently please post/comment/send them my way so we can all learn from them.

~Cheers

PS: If you need a little help detecting and fighting these attacks I am here to help. Check out my Group Coaching Program or 1 on 1 Consulting at schematical.com and check out my FREE eBook 20 Things You Can DoTo Save Money On Your Amazon Web Services Bill Today