DDoS attacks are quick to start killing performance on the server. The first clue that you’re under an attack is a server crash. With IIS, the server often returns a 503 “Service Unavailable” error.
It usually starts intermittently displaying this error, but heavy attacks lead to permanent 503 server responses for all of your users.
Another hint is that the server might not completely crash, but services become too slow for production. It could take several minutes to submit a form or even render a page.
When any system is targeted by a DDOS attack, all detected IP addresses belong to victims’ machines except the IP of the attacker.
For the CERT it is so difficult to detect the attacker and who controls the bots.
The Real question is how can we detect the attacker IP address ?
Before answering the question we have to know that there are two techniques to control the bots,and for every technique, there is also a technique to detect the attacker.
Let’s know what are attackers using to control bots to do a DDOS attack
The first technique is the client-server botnet
This kind of botnet works like Trojans there are client and server-side. The attacker uses the client to create his own botnet and control bots by it. The botnet(server) is a file which the hacker injects into victims’ computers.
The connection between client and server is achieved by listing on any port to create a connection. Now the hacker makes an attack by sending commands to servers”botnets” to start a DDOS attack.
We have three parts of the connection between the attacker, victim, and target. we cant reach to attacker directly from the target as an example “target is website:sawongam.com “.
Tracing, in this case, should be done in two steps.
- Collect IP addresses of bots that make a DDOS attack ,and try to catch any machine that contain bot.
2. make a forensic with a detected machine that the hacker is connecting to it. We can detect the IP address of the attacker easily.
If an attacker is using proxy this is another case to bypass this problem.
The second technique is HTTP client
Here the attacker is more undetectable than ” client-server botnet”. The attacker in this type uses a webserver to control bots like Zeus botnet and vertex.
We can detect the web server that the attacker controls bots by detecting the webserver we can detect the attacker, but it is so difficult because the attackers usually use web servers that haven’t registered by their names, or hacked web http://servers.in
Conclusion after detecting victims in any DDOS attack the next step e-forensic in victim machine leads us to the attacker.