How to find the source of a ddos attack？

Attack traceback is an essential part of post-incident response in security incidents. Analyzing affected assets and internal network traffic helps reconstruct attackers' paths and methods, aiding in vulnerability remediation and preventing secondary incidents. Knowledge gained from attacks can be transformed into defensive advantages, allowing proactive management and better control of outcomes.

During traceback, security personnel gather as much information as possible from the attack event to create a comprehensive profile of the attacker. The primary objectives include:

• Attack Path: Understanding how attackers gained access, whether for privilege escalation, data theft, financial gain, DDoS, etc.
• Network Proxies: Identifying proxy IPs, jump servers, C2 servers, etc., used by attackers.
• Attack Techniques: Analyzing methods such as spear-phishing, web penetration, watering hole attacks, insider threats, and social engineering.

Attacker Profile

In traceback efforts, it is crucial to define the objectives and utilize existing information to uncover valuable clues for clearer attacker profiling. Common goals include:

• Attack Pathways: Exploring paths used by attackers to access systems.
• Attack Objectives: Stealing data, escalating privileges, gaining benefits, launching DDoS attacks, etc.
• Network Proxies: Proxy IPs, jump servers, C2 servers, etc.
• Attack Techniques: Spear-phishing emails, web penetration, watering hole attacks, insider threats, and social engineering.

Traceback Methods

Exploiting Vulnerabilities Traceback Approaches

In security incidents where attackers exploit vulnerabilities, valuable information can be obtained through traceback, categorized into:

• Attack Classifications: Based on packet characteristics like string format and special strings.
• Attacker Information: Corporate (individual) specific exploit tools may contain company (personal) information within the request packet.

How to Trace DDoS Attacks and Find Attackers?

Phishing Email Traceback Thoughts

In security incidents where attackers successfully exploit phishing emails, valuable information can be obtained through phishing email analysis, mainly in:

• Sending IP, Account Number, and Email Content (format characteristics). Used to classify emails delivered by attackers;
• **Account Number may contain personal information such as:" Account@qq.com "," Nickname@gmail.com " And of These, Identity Information; May Web Site Address
  Contain Ip Etc .

​Email contents can generally be categorized into three types: delivery items (backdoors, other attack components); phishing websites, including domain names, IP addresses, and more; and other types requiring investigation of strings in the email, potentially revealing other accounts of the attacker.

Sender IP and sending server belong to the attacker's assets.

2.3 Tracing DDOS Attacks and Backdoors

Backdoors and attack components are crucial traces for investigation. When existing information is limited, analyzing residual attack files often yields significant results. The main approaches include:

Code logic: Due to human inertia, Red Team developers may reuse previous code. Recognizable code patterns can be used for classification and further investigation.

String characteristics: Identifying string patterns helps classify samples delivered by the Red Team, leading to the discovery of more related samples through historical analysis, such as testing phase samples.

Metadata: Depending on the bait type (LNK, EXE, DOCX, etc.), different metadata is obtained. For EXE files, PDB information may inadvertently reveal developer desktop details (often personal nicknames). LNK files may contain computer names from the time of creation, occasionally revealing personal nicknames. DOCX files may contain "last edited by" names.

C2 Callbacks: C2 connections are part of the attacker's assets.

2.4 Tracing Attacker Assets

Identifying attacker assets involves:

Domain name characteristics (nickname strings).

Website construction: Using four methods to detect current and historical data assets, websites may contain other Red Team attack components, personal nicknames, profiles, and registration information.

Whois information: Includes registrant email addresses, phone numbers, etc.

IP information: Consideration of whether the IP location corresponds to a security company's location or is flagged as a security company's gateway.

03 Security Tracing Case Studies

Case Study One: Tracing Phishing Email Attacks

Scenario: Attackers use social engineering to forge normal email content, bypassing email gateways to successfully deliver to target mailboxes, tricking users into clicking links or downloading attachments.

Information collection: Examining email headers to obtain sender IP addresses, domain suffix emails, phishing websites, or malicious attachment samples.

Tracing methods:

1. Tracking through associated domain/IP.
2. Conducting reverse penetration tests on phishing websites to gain access and gather further attacker information.
3. Analyzing malicious email attachments using threat intelligence platforms to find related samples and further profile the attacker.

Case Study Two: Web Intrusion Tracing

Scenario: Attackers infiltrate server segments through NDAYS and 0DAY vulnerabilities. Webshells trigger security alerts or threat detection blocks C&C domain communications.

Tracing methods:
Isolating webshell samples, using web logs to reconstruct the attack path, identifying and fixing vulnerabilities from logs to find attacker IP addresses. Attackers often use proxy servers or anonymous networks (e.g., Tor) to conceal real IP addresses.

Case Study Three: Honeypot Tracing

Scenario: Deploying honeypots within enterprise networks to simulate various common application services, enticing attackers to attack.

Tracing methods: When attackers invade honeypots, recording their intrusion behavior to obtain host information, browser details, and possibly real IP and social information.

Through these methods, a comprehensive threat intelligence profile is obtained, revealing: the identity of the person/organization behind the attack, their motives, methods used, and the attack process. Further analysis and cross-confirmation of intelligence ultimately identify the attacker's identity.