Blog DDoS Attacks DDoS Skills

How to Know When a DDoS Attack is on Its Way

Gusest post by Eran Atias

The element of surprise is a core principle of war in many nations around the world. According to the UK Defense Doctrine, it is the “consequence of confusion induced by deliberately or incidentally introducing the unexpected.” This limits an enemy’s reaction time to make decisions, prepare a defense, and launch a counterattack.

Surprise applies to DDoS incidents, as well. It basically means the attacker chooses what to attack, when, and how. Then, the victim organization – which hopefully detected the disruption in real-time – needs to figure out it is under attack, analyze the attack, take decisions regarding mitigation actions, and perform them. This usually includes moving personnel from the tasks they are working on and assigning them to this effort. If it takes place outside working hours, then it is necessary to reach on-call personnel.

As in war, having operational intelligence regarding a DDoS attack that is about to be launched against our organization is truly valuable, and can save minutes or hours of downtime. We can get that sort of heads up and reach important conclusions from the latest DDoS attacks launched by Anonymous Sudan.

Anonymous Sudan DDoS Attacks

Anonymous Sudan is a hacker group motivated by religious and political ideology. It attacks government and private institutions in Western countries, such as the US, Sweden, and France. In April 2023, it attacked websites of Israeli universities and took them down for several hours. Due to its use of DDoS as a main attack vector and its focus on those countries, some analysts suggest Anonymous Sudan is a cover for the Pro-Russian threat actor group Killnet.

According to threat intelligence reports, and as can be seen in the group’s Telegram channel, Anonymous Sudan uses the check-host.net website monitoring site to check the availability of their targets and to find out whether an attack is successful. This finding can be leveraged for an advance warning of an attack.

The user interface of check-host.net.
Any website or API can be monitored for availability from multiple locations around the world.

 

Availability Monitoring Tools

Almost every organization with web-based services uses a monitoring tool for getting real-time visibility into service availability and latency for its users. Any outage or deviation from the expected latency should be detected, investigated, and mitigated as fast as possible in order to resume business functions and prevent monetary or reputational damage. There are many free or paid tools, such as StatusCake, UptimeRobot and Site24x7. Notably, in addition to this legitimate and intended use, many attackers and penetration testers use such tools for checking the availability and latency of their targets.

The availability monitoring services provide clients with a list of the IP addresses used by their machines for launching availability checks. This ensures traffic from the monitoring tool can get past the organization’s firewalls, preventing them from being blocked and causing availability checks to fail. The relevant addresses are usually provided in plain text and JSON formats.

Examples of the locations and IP addresses of StatusCake’s machines

 

Detection Engineering: Outsmarting the Attackers

An organization can get a warning regarding a potential DDoS attack about to take place within minutes or hours simply by taking note of inbound traffic detected by availability monitoring tools, with an emphasis on cost-free options.

This is under the assumption that the attacking entity leverages such tools as described earlier. However, this early-warning method should not be applied, of course, to the availability monitoring tool in use by the organization itself, but to all other tools out there.

To identify early signs of a potential DDoS attack, follow these steps:

1. Research the IP addresses of all availability monitoring tools and list them. For example, in the image below you can see the IP addresses of the machines used by check-host.net.

   

2. Create a rule in your firewall for blocking traffic from those IP addresses.
3. Create a rule in your SIEM that will trigger an incident if the above rule is applied. Note that you should configure the incident notification to aggregate all firewall blocking events in the same timeframe.
4. Teach your SOC analysts and network security engineers that such notifications indicate an incoming DDoS attack and instruct them to:
   • Keep a close eye on any suspicious or anomalous increments in inbound traffic volume or the rate of inbound requests to your CDN or to any web service or network intermediary device in your infrastructure.
   • Get ready to launch DDoS detection and mitigation procedures and playbooks.

     It should be mentioned that as more firewall-based events are aggregated in a single incident notification, the more likely it is that a DDoS attack is about to be launched and that what you are seeing is not a false alarm.