{"id":7641,"date":"2018-01-01T07:30:14","date_gmt":"2018-01-01T07:30:14","guid":{"rendered":"http:\/\/blog.nsfocusglobal.com\/?p=1028"},"modified":"2018-01-01T07:30:14","modified_gmt":"2018-01-01T07:30:14","slug":"traceback-of-a-ddos-attack","status":"publish","type":"post","link":"https:\/\/nsfocusglobal.com\/pt-br\/traceback-of-a-ddos-attack\/","title":{"rendered":"Traceback of a DDoS Attack"},"content":{"rendered":"<p><span style=\"color: #000000; font-family: Times New Roman;\">An abnormal increase in the CPU usage of a telecom carrier&#8217;s 4G firewall substantially slowed down the access from some iPhone users to the Apple website. We suspected that the carrier was hit by a DDoS attack. With the visualized traceback function of NSFOCUS Big Data Security Analytics (BSA), we made a drill-down analysis of suspicious IP addresses and finally located the attack source. This document details the entire DDoS traceback process and provides some analysis ideas.<\/span><\/p>\n<h2>Using an Eagle Eye to Trace IP Services<\/h2>\n<p><span style=\"color: #000000; font-family: Times New Roman;\">NSFOCUS Threat Analysis and Traceback (TAT) is capable of tracking traffic concerning websites, DNS services, and IP services. NSFOCUS TAT allows scenario analysis based on an IP address, IP segment, port, and protocol and presents the following statistics:<\/span><\/p>\n<ul>\n<li>Traffic and flow statistics by IP ports<\/li>\n<li>Traffic and flow statistics by visiting area<\/li>\n<li>Geographical distribution of visiting areas<\/li>\n<li>Geographical distribution of visiting areas by traffic intensity<\/li>\n<li>Concurrent Online IP addresses<\/li>\n<li>Traffic and flow statistics by access duration<\/li>\n<li>Pareto chart<\/li>\n<li>Traffic and flow statistics by protocol<\/li>\n<li>Traffic and flow statistics by router<\/li>\n<\/ul>\n<p><span style=\"color: #000000; font-family: Times New Roman;\">An IP address traceback tasks can be performed in three ways: cache mining mode, online mining mode, and offline mining mode. During this attack, the eight to 12 pieces of DDoS data generated in one hour need to be analyzed and handled at a high speed.<\/span><\/p>\n<ul>\n<li>High-speed memory mining: The mined data, saved in the memory, can be quickly invoked and reused for progressive queries. Mining a big amount of data consumes a lot of cluster memory. Therefore, the cache mode is applicable only for mining data generated in one day. It is recommended that a filter be used to filter the data in advance.<\/li>\n<li>Online mining mode: After mining conditions are typed, a filter will be automatically generated accordingly. The filter directly queries the raw flow table without waiting for a cache to be created, thus making query to a specific analysis scenario fast and convenient. This mode is applicable to one-time queries of data generated within one day.<\/li>\n<li>Offline mining mode: This can be used for analyzing data generated within more than one day. The required data is first queried and then compressed (by combining small files). The created physical table is saved in the hard disk for future reuse. Due to the big amount of data, conditions should be configured, such as a specified IP address to be queried.<\/li>\n<\/ul>\n<h2>Analyzing Upstream Traffic of a Specific IP Address<\/h2>\n<h3>Raw Data<\/h3>\n<p>Under <strong>Service Analysis &amp; Traceback &gt; IP<\/strong>, we can mine an IP address&#8217;s upstream traffic data that was generated in 1:00\u20132:00 a.m. on March 24, 2017.<\/p>\n<p><a href=\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/12\/1..png\"><img fetchpriority=\"high\" decoding=\"async\" class=\"size-large wp-image-1029 aligncenter\" src=\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/12\/1.-1024x222.png\" alt=\"\" width=\"640\" height=\"139\" \/><\/a><\/p>\n<p style=\"text-align: center;\">Mining conditions<\/p>\n<p><a href=\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/12\/2..png\"><img decoding=\"async\" class=\"size-large wp-image-1030 aligncenter\" src=\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/12\/2.-1024x616.png\" alt=\"\" width=\"640\" height=\"385\" \/><\/a><\/p>\n<p style=\"text-align: center;\">Mined traffic statistics of an IP address<\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"color: #000000; font-family: Times New Roman;\">The graph in the preceding figure shows that the traffic trend changes slightly and the traffic is generally stable. The table under the graph shows that the peak size stands at 2.3 Mbps or 700 pps; the total volume is 3 GB or 1M packets; the total number of flows reaches 1013. The raw flow table presents statistics of raw flows such as the source IP address, destination IP address, source port, destination port, total volume, number of packets, and protocol.<\/span><\/p>\n<h3>\u00a0Traffic and Flow of Ports<\/h3>\n<p>Under <strong>Service Analysis &amp; Traceback &gt; IP<\/strong>, we can click <strong>Traffic &amp; Flow by Port<\/strong> to view the traffic and flow statistics of a website, thereby identifying the port with the peak traffic or abnormal traffic.<\/p>\n<p><a href=\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/12\/3..png\"><img decoding=\"async\" class=\"size-large wp-image-1031 aligncenter\" src=\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/12\/3.-1024x550.png\" alt=\"\" width=\"640\" height=\"344\" \/><\/a><\/p>\n<p style=\"text-align: center;\">Traffic and flow statistics of IP ports<\/p>\n<p><span style=\"color: #000000; font-family: Times New Roman;\">The graph in the preceding figure shows the traffic and flow trend of specific ports of an IP address in 1:00\u20132:00 a.m. on March 24, 2017. From the graph, we can see that only ports 443 and 760 were opened at that time. The table presents traffic and flow statistics of the two ports, such as the total volume, peak size, average size, and number of flows.<\/span><\/p>\n<h3>Traffic and Flows from the Perspective of TCP Flags<\/h3>\n<p>Under <strong>Service Analysis &amp; Traceback &gt; IP<\/strong>, we can click <strong>TCP Flag<\/strong> <strong>Traffic\/Flows<\/strong> to view traffic and flow statistics from the perspective of TCP flags, such as the total volume, peak size, number of flows, and proportion of each type of traffic.<\/p>\n<p><a href=\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/12\/4..png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-1032 aligncenter\" src=\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/12\/4.-1024x630.png\" alt=\"\" width=\"640\" height=\"394\" \/><\/a><\/p>\n<p style=\"text-align: center;\">TCP flag-related traffic and flow statistics<\/p>\n<p><span style=\"color: #000000; font-family: Times New Roman;\">The graph in the preceding figure shows the traffic and flow statistics from the perspective of TCP flags in 1:00\u20132:00 a.m. on March 24, 2017. From the graph, we can see that the highest peak size, 2 Mbps or500 pps, falls to ACK traffic totaling 1.6 GB or 519,000 packets and the second highest peak size goes to PSH-ACK traffic. Therefore, we conclude that ACK response packets and packets that contain the requested data account for a large proportion. The table presents detailed statistics about traffic and flow statistics from the perspective of TCP flags, such as the total volume and peak size.<\/span><\/p>\n<h3>Concurrent Online IP Addresses<\/h3>\n<p>Under <strong>Service Analysis &amp; Traceback &gt; IP<\/strong>, we can mine raw data for scenario analysis. After clicking <strong>Concurrent Online IP<\/strong>, we can learn the number of concurrent online IP addresses in 30 seconds, which have been deduplicated. This makes it convenient for users to check whether a problem is caused by a sudden increase of access IP addresses.<\/p>\n<p><a href=\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/12\/5..png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-1033 aligncenter\" src=\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/12\/5.-1024x484.png\" alt=\"\" width=\"640\" height=\"303\" \/><\/a><\/p>\n<p style=\"text-align: center;\">Statistics of concurrent online IP addresses<\/p>\n<p><span style=\"color: #000000; font-family: Times New Roman;\">The trend graph in the preceding figure shows the trend of concurrent online IP addresses in 1:00\u20132:00 a.m. on March 24, 2017. From the graph, we can see that at a specific point of time up to 19 (maximum in the one hour) IP addresses were accessing the website simultaneously. Throughout the hour, the total number of IP addresses accessing the website reached 1001 which was within the acceptable range.<\/span><\/p>\n<h2>Analyzing Downstream Traffic of an IP Address<\/h2>\n<h3>\u00a0Raw Data<\/h3>\n<p>Under <strong>Service Analysis &amp; Traceback &gt; IP<\/strong>, we can mine raw data about downstream traffic of a specific IP address in a specified period, for example, 1:00 to 2:00 a.m. on March 24, 2017.<\/p>\n<p><a href=\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/12\/6..png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-1034 aligncenter\" src=\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/12\/6.-1024x625.png\" alt=\"\" width=\"640\" height=\"391\" \/><\/a><\/p>\n<p style=\"text-align: center;\">Traffic trend graph and table of an IP address in a specified period<\/p>\n<p><span style=\"color: #000000; font-family: Times New Roman;\">The preceding figure shows downstream traffic data of an IP address in the period of 1:00\u20132:00 a.m. on March 24, 2017. Obviously, a burst of traffic occurs from 1:30 to 1:35 a.m. During the one-hour period, the traffic peaks at 626.4 Mbps or 1.1 Mpps and amounts to 65.1 GB or 102.7M packets; the total number of flows is 1427. The raw data table presents statistics about flows generated in that hour, including the source IP address, destination IP address, source port, destination port, traffic volume, number of packets, and protocol used.<\/span><\/p>\n<h3>Traffic and Flows from the Perspective of TCP Flags<\/h3>\n<p>Under <strong>Service Analysis &amp; Traceback &gt; IP<\/strong>, we can mine raw data for scenario analysis. After clicking <strong>TCP Flag Traffic\/Flows<\/strong>, we can learn the total volume, peak size, and number of flows of packets with common TCP flags. In addition, we can analyze the proportion of each type of traffic distinguished with the TCP flag.<\/p>\n<p><a href=\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/12\/7..png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-1035 aligncenter\" src=\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/12\/7.-1024x624.png\" alt=\"\" width=\"640\" height=\"390\" \/><\/a><\/p>\n<p style=\"text-align: center;\">Traffic and flow statistics from the perspective of TCP flags<\/p>\n<p><span style=\"color: #000000; font-family: Times New Roman;\">The preceding figure shows statistics from the perspective of TCP flags about traffic and flows generated in 1:00\u20132:00 a.m. on March 24, 2017. From this figure, we can see that FIN-ACK traffic exceeds all other types of traffic, peaking at 461.5 Mbps or 779.5 kpps and amounting to 51.4 GB or 86.9M packets. RST packets contributes the second largest proportion, peaking at 8.7 Gbps or 14.7 Mpps and amounting to 176.6 MB or 298.3K packets. Therefore, TCP connections are probably closed first and then reset. The table presents detailed traffic statistics from the perspective of TCP flags, such as the total volume and peak size.<\/span><\/p>\n<h3>Concurrent Online IP Addresses<\/h3>\n<p>In the case of traffic bursts, it is necessary to check whether there is a sudden increase in the number of access IP addresses. Under <strong>Service Analysis &amp; Traceback &gt; IP<\/strong>, we can mine raw data for scenario analysis. After clicking <strong>Concurrent Online IP<\/strong>, we can learn the number of concurrent online IP addresses in 30 seconds, which have been deduplicated. This makes it convenient for users to check whether a problem is caused by a sudden increase of access IP addresses.<\/p>\n<p><a href=\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/12\/8..png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-1036 aligncenter\" src=\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/12\/8.-1024x430.png\" alt=\"\" width=\"640\" height=\"269\" \/><\/a><\/p>\n<p style=\"text-align: center;\">Concurrent online IP addresses<\/p>\n<p><span style=\"color: #000000; font-family: Times New Roman;\">The graph in the preceding figure shows the trend of concurrent online IP addresses in 1:00\u20132:00 a.m. on March 24, 2017. From the graph, we can see that at a specific point of time up to 21 (maximum in the one hour) IP addresses are accessing the website simultaneously. Throughout the hour, the total number of IP addresses accessing the website reaches 1178. There is no obvious sudden increase in the number of access IP addresses and therefore we think that access to the website in that hour is nothing abnormal.<\/span><\/p>\n<h3>Preliminary Conclusion \u2013 Downstream Traffic Contributing to the Traffic Burst<\/h3>\n<p><span style=\"color: #000000; font-family: Times New Roman;\">Our preliminary conclusion is that the traffic burst from 1:30 to 1:35 a.m. was caused by downstream traffic from the official website of Apple, which increased suddenly from 2 Mbps to 600 Mbps, including 461.5 Mbps FIN-ACK traffic and 176.6 Mbps RST traffic.<\/span><\/p>\n<p style=\"text-align: center;\">Statistics of downstream traffic by TCP flag<\/p>\n<table style=\"height: 315px;\" width=\"769\">\n<thead>\n<tr>\n<td width=\"58\">\n<p style=\"text-align: center;\"><strong>Traffic Type<\/strong><\/p>\n<\/td>\n<td style=\"text-align: center;\" width=\"83\"><strong>Total (Bytes\/Packets)<\/strong><\/td>\n<td style=\"text-align: center;\" width=\"96\"><strong>Peak Size (bps\/pps)<\/strong><\/td>\n<td style=\"text-align: center;\" width=\"66\"><strong>Avg Size (bps\/pps)<\/strong><\/td>\n<td style=\"text-align: center;\" width=\"47\"><strong>Flows<\/strong><\/td>\n<td style=\"text-align: center;\" width=\"84\"><strong>Start Time<\/strong><\/td>\n<td style=\"text-align: center;\" width=\"95\"><strong>End Time<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td width=\"58\">FIN-ACK<\/td>\n<td width=\"83\">51.4G\/86.9M<\/td>\n<td width=\"96\">461.5M\/779.5K<\/td>\n<td width=\"66\">14.3M\/24.2K<\/td>\n<td width=\"47\">302<\/td>\n<td width=\"84\">2017-03-24 01:00:07<\/td>\n<td width=\"95\">2017-03-24 01:59:59<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\" width=\"58\">RST<\/td>\n<td style=\"text-align: center;\" width=\"83\">8.7G\/14.7M<\/td>\n<td style=\"text-align: center;\" width=\"96\">176.6M\/298.3K<\/td>\n<td style=\"text-align: center;\" width=\"66\">2.6M\/4.4K<\/td>\n<td style=\"text-align: center;\" width=\"47\">24<\/td>\n<td style=\"text-align: center;\" width=\"84\">2017-03-24 01:04:30<\/td>\n<td width=\"95\">\n<p style=\"text-align: center;\">2017-03-24 01:59:59<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2>Drilling Data Down by Time (5-Minute Period)<\/h2>\n<h3>Creation of a Time Filter<\/h3>\n<p><span style=\"color: #000000; font-family: Times New Roman;\">Drag the traffic burst area. Then the system automatically creates a time filter with the granularity of 5 minutes.<\/span><\/p>\n<p><a href=\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/12\/9..png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-1037 aligncenter\" src=\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/12\/9..png\" alt=\"\" width=\"925\" height=\"631\" \/><\/a><\/p>\n<p style=\"text-align: center;\">Dragging the traffic burst period to generate a time filter<\/p>\n<h3>Analysis of Traffic Details<\/h3>\n<p><span style=\"color: #000000; font-family: Times New Roman;\">The five-minute traffic trend provides a clearer picture about traffic generated in that period.<\/span><\/p>\n<p><a href=\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/12\/10..png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-1038 aligncenter\" src=\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/12\/10..png\" alt=\"\" width=\"933\" height=\"644\" \/><\/a><\/p>\n<p style=\"text-align: center;\">Traffic burst details<\/p>\n<h3>Analysis of Traffic Details from the Perspective of TCP Flags<\/h3>\n<p><span style=\"color: #000000; font-family: Times New Roman;\">From the distribution of traffic by TCP flag, we can further find out which TCP flags are most frequently seen in packets. In this case, FIN-ACK and RST packets contributed the largest proportion of traffic.<\/span><\/p>\n<p><a href=\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/12\/11..png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-1039 aligncenter\" src=\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/12\/11..png\" alt=\"\" width=\"942\" height=\"832\" \/><\/a><\/p>\n<p style=\"text-align: center;\">Details of bursting traffic from the perspective of TCP flags<\/p>\n<h3>Pareto Chart-based Analysis to Locate the Target and Find Suspicious IP Addresses<\/h3>\n<p>In the case of traffic bursts, we can create a time filter to analyze the bursting traffic more accurately.<\/p>\n<p>Under <strong>Service Analysis &amp; Traceback &gt; IP<\/strong>, we can mine raw data for scenario analysis. After clicking <strong>Pareto Chart<\/strong>, we can define elements of flows for further analysis by using the precisely defined Pareto chart analysis method.<\/p>\n<p><a href=\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/12\/12..png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-1040 aligncenter\" src=\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/12\/12.-1024x613.png\" alt=\"\" width=\"640\" height=\"383\" \/><\/a><\/p>\n<p style=\"text-align: center;\">Pareto chart<\/p>\n<p><span style=\"color: #000000; font-family: Times New Roman;\">The preceding figure shows the Pareto chart of traffic specific to an IP address in 1:30:04\u20131:33:03 a.m. on March 24, 2017. From the traffic graph, we can see that the source IP address and destination IP address on the top of the list contributed 99.68% of traffic. The statistics table also shows that the traffic between the two IP addresses amounts to 7.5 GB or 101.5M packets and peaks at 132.5 Mbps or 1.8 Mpps. Besides, the number of flows between them is also far greater than that for other IP addresses, which generated a very small proportion of traffic.<\/span><\/p>\n<h3>Analysis of the Destination IP Address<\/h3>\n<p>Having identified the destination IP address receiving abnormal traffic, we can perform a targeted analysis on this IP address after clicking <strong>TCP Flag Traffic\/Flows<\/strong> and then creating a filter for this IP address.<\/p>\n<p><a href=\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/12\/13..png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-1041 aligncenter\" src=\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/12\/13.-1024x77.png\" alt=\"\" width=\"640\" height=\"48\" \/><\/a><\/p>\n<p style=\"text-align: center;\">Creating a filter<\/p>\n<p>Under <strong>Service Analysis &amp; Traceback &gt; IP<\/strong>, we can mine raw data for scenario analysis. After clicking <strong>Query<\/strong>, we can learn the total volume, peak size, and number of flows of traffic to this destination IP address.<\/p>\n<p><a href=\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/12\/14..png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-1042 aligncenter\" src=\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/12\/14.-1024x467.png\" alt=\"\" width=\"640\" height=\"292\" \/><\/a><\/p>\n<p style=\"text-align: center;\">Traffic\/flow graph and table<\/p>\n<p><a href=\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/12\/15..png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-1043 aligncenter\" src=\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/12\/15.-1024x610.png\" alt=\"\" width=\"640\" height=\"381\" \/><\/a><\/p>\n<p style=\"text-align: center;\">Detailed traffic\/flow statistics<\/p>\n<p><span style=\"color: #000000; font-family: Times New Roman;\">The preceding figures show traffic and flows specific to an IP address in 1:30:04\u20131:33:03 a.m. on March 24, 2017. From the traffic\/flow table, we can see that traffic peaks at 624.7 Mbps or 1.1 Mpps and amounts to 60.1 GB or 101.5M packets. Then from the detailed traffic\/flow statistics, we can see that all downstream traffic related to the aforementioned source IP address and destination IP address was from port 443 to port 9069 and a traffic burst occurred. Obviously, the problem was attributable to this pair of IP addresses.<\/span><\/p>\n<h2>Conclusion<\/h2>\n<p>1. A telecom carrier&#8217;s firewall reported an exception as a result of an Intranet IP address accessing an IP address of Apple.<\/p>\n<p>2. We conducted a comparative analysis of the upstream and downstream traffic in the period of 1:30\u20131:35 a.m. It turned out that, in that 5 minutes, an intranet IP address received downstream traffic of 624 Mbps from Apple, in contrast to the upstream traffic of only 21 kbps.<\/p>\n<p><a href=\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/12\/16..png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-1044 aligncenter\" src=\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/12\/16.-1024x605.png\" alt=\"\" width=\"640\" height=\"378\" \/><\/a><\/p>\n<p style=\"text-align: center;\">Upstream traffic statistics<\/p>\n<p><a href=\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/12\/17..png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-1045 aligncenter\" src=\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/12\/17.-1024x467.png\" alt=\"\" width=\"640\" height=\"292\" \/><\/a><\/p>\n<p style=\"text-align: center;\">Downstream traffic statistics<\/p>\n<p style=\"text-align: left;\">3. We found that traffic between the source IP address and the destination IP address experienced a sudden increase in a short period, and all was from port 443 of Apple to port 9068. In addition, some types of packets contributed a large proportion of the DDoS traffic. Therefore, it is likely that communication between these two IP addresses was the cause of the problem.<\/p>\n<p style=\"text-align: left;\">4. Analyzing traffic from the perspective of TCP flags, we found no SYN packets in upstream traffic. In downstream traffic, FIN-ACK traffic peaked at 461.5 Mbps and RST traffic peaked at 176.6 Mbps.<\/p>\n<p style=\"text-align: left;\">5. The two IP addresses, according to NSFOCUS Threat Intelligence (NTI), are both safe and have never been involved in any DDoS events.<\/p>\n<p style=\"text-align: left;\"><span style=\"color: #000000; font-family: Times New Roman;\">The next step is to analyze the involved IP address under protection of the firewall and determine which type of devices uses port 9069. (The telecom carrier&#8217;s log system should have related messages.)<\/span><\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>An abnormal increase in the CPU usage of a telecom carrier&#8217;s 4G firewall substantially slowed down the access from some iPhone users to the Apple website. We suspected that the carrier was hit by a DDoS attack. With the visualized traceback function of NSFOCUS Big Data Security Analytics (BSA), we made a drill-down analysis of [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":35809,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_coblocks_attr":"","_coblocks_dimensions":"","_coblocks_responsive_height":"","_coblocks_accordion_ie_support":"","footnotes":""},"categories":[5,15],"tags":[106,371],"class_list":["post-7641","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ddos-mitigation","category-research-reports","tag-attribution","tag-ddos"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.4 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Traceback of a DDoS Attack - NSFOCUS<\/title>\n<meta name=\"robots\" content=\"noindex, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"pt_BR\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Traceback of a DDoS Attack - NSFOCUS\" \/>\n<meta property=\"og:description\" content=\"An abnormal increase in the CPU usage of a telecom carrier&#039;s 4G firewall substantially slowed down the access from some iPhone users to the Apple website.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/nsfocusglobal.com\/traceback-of-a-ddos-attack\/\" \/>\n<meta property=\"og:site_name\" content=\"NSFOCUS\" \/>\n<meta property=\"article:published_time\" content=\"2018-01-01T07:30:14+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2018\/01\/1.-1024x222-1.png\" \/>\n<meta name=\"author\" content=\"admin\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:title\" content=\"Traceback of a DDoS Attack - NSFOCUS\" \/>\n<meta name=\"twitter:description\" content=\"An abnormal increase in the CPU usage of a telecom carrier&#039;s 4G firewall substantially slowed down the access from some iPhone users to the Apple website.\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2018\/01\/1.-1024x222-1.png\" \/>\n<meta name=\"twitter:label1\" content=\"Escrito por\" \/>\n\t<meta name=\"twitter:data1\" content=\"admin\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. tempo de leitura\" \/>\n\t<meta name=\"twitter:data2\" content=\"11 minutos\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/traceback-of-a-ddos-attack\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/traceback-of-a-ddos-attack\\\/\"},\"author\":{\"name\":\"admin\",\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/pt-br\\\/#\\\/schema\\\/person\\\/fd9ab61c9c77a81bbd870f725cc0c61d\"},\"headline\":\"Traceback of a DDoS Attack\",\"datePublished\":\"2018-01-01T07:30:14+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/traceback-of-a-ddos-attack\\\/\"},\"wordCount\":2179,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/pt-br\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/traceback-of-a-ddos-attack\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/nsfocusglobal.com\\\/wp-content\\\/uploads\\\/2018\\\/01\\\/1.-1024x222-1.png\",\"keywords\":[\"Attribution\",\"DDoS\"],\"articleSection\":[\"DDoS Mitigation\",\"Research &amp; Reports\"],\"inLanguage\":\"pt-BR\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/nsfocusglobal.com\\\/traceback-of-a-ddos-attack\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/traceback-of-a-ddos-attack\\\/\",\"url\":\"https:\\\/\\\/nsfocusglobal.com\\\/traceback-of-a-ddos-attack\\\/\",\"name\":\"Traceback of a DDoS Attack - NSFOCUS\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/pt-br\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/traceback-of-a-ddos-attack\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/traceback-of-a-ddos-attack\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/nsfocusglobal.com\\\/wp-content\\\/uploads\\\/2018\\\/01\\\/1.-1024x222-1.png\",\"datePublished\":\"2018-01-01T07:30:14+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/traceback-of-a-ddos-attack\\\/#breadcrumb\"},\"inLanguage\":\"pt-BR\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/nsfocusglobal.com\\\/traceback-of-a-ddos-attack\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"pt-BR\",\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/traceback-of-a-ddos-attack\\\/#primaryimage\",\"url\":\"https:\\\/\\\/nsfocusglobal.com\\\/wp-content\\\/uploads\\\/2018\\\/01\\\/1.-1024x222-1.png\",\"contentUrl\":\"https:\\\/\\\/nsfocusglobal.com\\\/wp-content\\\/uploads\\\/2018\\\/01\\\/1.-1024x222-1.png\",\"width\":1024,\"height\":222,\"caption\":\"Web interface with text fields and buttons.\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/traceback-of-a-ddos-attack\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/nsfocusglobal.com\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Traceback of a DDoS Attack\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/pt-br\\\/#website\",\"url\":\"https:\\\/\\\/nsfocusglobal.com\\\/pt-br\\\/\",\"name\":\"NSFOCUS\",\"description\":\"Security Made Smart and Simple\",\"publisher\":{\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/pt-br\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/nsfocusglobal.com\\\/pt-br\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"pt-BR\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/pt-br\\\/#organization\",\"name\":\"NSFOCUS\",\"url\":\"https:\\\/\\\/nsfocusglobal.com\\\/pt-br\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"pt-BR\",\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/pt-br\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/nsfocusglobal.com\\\/wp-content\\\/uploads\\\/2024\\\/08\\\/logo-ns.png\",\"contentUrl\":\"https:\\\/\\\/nsfocusglobal.com\\\/wp-content\\\/uploads\\\/2024\\\/08\\\/logo-ns.png\",\"width\":248,\"height\":36,\"caption\":\"NSFOCUS\"},\"image\":{\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/pt-br\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/pt-br\\\/#\\\/schema\\\/person\\\/fd9ab61c9c77a81bbd870f725cc0c61d\",\"name\":\"admin\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"pt-BR\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/d3dc987908fc59791d261b1006d84eb931d15287261476b9384e690ed0c568de?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/d3dc987908fc59791d261b1006d84eb931d15287261476b9384e690ed0c568de?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/d3dc987908fc59791d261b1006d84eb931d15287261476b9384e690ed0c568de?s=96&d=mm&r=g\",\"caption\":\"admin\"},\"sameAs\":[\"https:\\\/\\\/nsfocusglobal.com\"],\"url\":\"https:\\\/\\\/nsfocusglobal.com\\\/pt-br\\\/author\\\/admin\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Traceback of a DDoS Attack - NSFOCUS","robots":{"index":"noindex","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"pt_BR","og_type":"article","og_title":"Traceback of a DDoS Attack - NSFOCUS","og_description":"An abnormal increase in the CPU usage of a telecom carrier's 4G firewall substantially slowed down the access from some iPhone users to the Apple website.","og_url":"https:\/\/nsfocusglobal.com\/traceback-of-a-ddos-attack\/","og_site_name":"NSFOCUS","article_published_time":"2018-01-01T07:30:14+00:00","og_image":[{"url":"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2018\/01\/1.-1024x222-1.png","type":"","width":"","height":""}],"author":"admin","twitter_card":"summary_large_image","twitter_title":"Traceback of a DDoS Attack - NSFOCUS","twitter_description":"An abnormal increase in the CPU usage of a telecom carrier's 4G firewall substantially slowed down the access from some iPhone users to the Apple website.","twitter_image":"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2018\/01\/1.-1024x222-1.png","twitter_misc":{"Escrito por":"admin","Est. tempo de leitura":"11 minutos"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/nsfocusglobal.com\/traceback-of-a-ddos-attack\/#article","isPartOf":{"@id":"https:\/\/nsfocusglobal.com\/traceback-of-a-ddos-attack\/"},"author":{"name":"admin","@id":"https:\/\/nsfocusglobal.com\/pt-br\/#\/schema\/person\/fd9ab61c9c77a81bbd870f725cc0c61d"},"headline":"Traceback of a DDoS Attack","datePublished":"2018-01-01T07:30:14+00:00","mainEntityOfPage":{"@id":"https:\/\/nsfocusglobal.com\/traceback-of-a-ddos-attack\/"},"wordCount":2179,"commentCount":0,"publisher":{"@id":"https:\/\/nsfocusglobal.com\/pt-br\/#organization"},"image":{"@id":"https:\/\/nsfocusglobal.com\/traceback-of-a-ddos-attack\/#primaryimage"},"thumbnailUrl":"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2018\/01\/1.-1024x222-1.png","keywords":["Attribution","DDoS"],"articleSection":["DDoS Mitigation","Research &amp; Reports"],"inLanguage":"pt-BR","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/nsfocusglobal.com\/traceback-of-a-ddos-attack\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/nsfocusglobal.com\/traceback-of-a-ddos-attack\/","url":"https:\/\/nsfocusglobal.com\/traceback-of-a-ddos-attack\/","name":"Traceback of a DDoS Attack - NSFOCUS","isPartOf":{"@id":"https:\/\/nsfocusglobal.com\/pt-br\/#website"},"primaryImageOfPage":{"@id":"https:\/\/nsfocusglobal.com\/traceback-of-a-ddos-attack\/#primaryimage"},"image":{"@id":"https:\/\/nsfocusglobal.com\/traceback-of-a-ddos-attack\/#primaryimage"},"thumbnailUrl":"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2018\/01\/1.-1024x222-1.png","datePublished":"2018-01-01T07:30:14+00:00","breadcrumb":{"@id":"https:\/\/nsfocusglobal.com\/traceback-of-a-ddos-attack\/#breadcrumb"},"inLanguage":"pt-BR","potentialAction":[{"@type":"ReadAction","target":["https:\/\/nsfocusglobal.com\/traceback-of-a-ddos-attack\/"]}]},{"@type":"ImageObject","inLanguage":"pt-BR","@id":"https:\/\/nsfocusglobal.com\/traceback-of-a-ddos-attack\/#primaryimage","url":"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2018\/01\/1.-1024x222-1.png","contentUrl":"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2018\/01\/1.-1024x222-1.png","width":1024,"height":222,"caption":"Web interface with text fields and buttons."},{"@type":"BreadcrumbList","@id":"https:\/\/nsfocusglobal.com\/traceback-of-a-ddos-attack\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/nsfocusglobal.com\/"},{"@type":"ListItem","position":2,"name":"Traceback of a DDoS Attack"}]},{"@type":"WebSite","@id":"https:\/\/nsfocusglobal.com\/pt-br\/#website","url":"https:\/\/nsfocusglobal.com\/pt-br\/","name":"NSFOCUS","description":"Security Made Smart and Simple","publisher":{"@id":"https:\/\/nsfocusglobal.com\/pt-br\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/nsfocusglobal.com\/pt-br\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"pt-BR"},{"@type":"Organization","@id":"https:\/\/nsfocusglobal.com\/pt-br\/#organization","name":"NSFOCUS","url":"https:\/\/nsfocusglobal.com\/pt-br\/","logo":{"@type":"ImageObject","inLanguage":"pt-BR","@id":"https:\/\/nsfocusglobal.com\/pt-br\/#\/schema\/logo\/image\/","url":"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2024\/08\/logo-ns.png","contentUrl":"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2024\/08\/logo-ns.png","width":248,"height":36,"caption":"NSFOCUS"},"image":{"@id":"https:\/\/nsfocusglobal.com\/pt-br\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/nsfocusglobal.com\/pt-br\/#\/schema\/person\/fd9ab61c9c77a81bbd870f725cc0c61d","name":"admin","image":{"@type":"ImageObject","inLanguage":"pt-BR","@id":"https:\/\/secure.gravatar.com\/avatar\/d3dc987908fc59791d261b1006d84eb931d15287261476b9384e690ed0c568de?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/d3dc987908fc59791d261b1006d84eb931d15287261476b9384e690ed0c568de?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d3dc987908fc59791d261b1006d84eb931d15287261476b9384e690ed0c568de?s=96&d=mm&r=g","caption":"admin"},"sameAs":["https:\/\/nsfocusglobal.com"],"url":"https:\/\/nsfocusglobal.com\/pt-br\/author\/admin\/"}]}},"_links":{"self":[{"href":"https:\/\/nsfocusglobal.com\/pt-br\/wp-json\/wp\/v2\/posts\/7641","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nsfocusglobal.com\/pt-br\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nsfocusglobal.com\/pt-br\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nsfocusglobal.com\/pt-br\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/nsfocusglobal.com\/pt-br\/wp-json\/wp\/v2\/comments?post=7641"}],"version-history":[{"count":0,"href":"https:\/\/nsfocusglobal.com\/pt-br\/wp-json\/wp\/v2\/posts\/7641\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/nsfocusglobal.com\/pt-br\/wp-json\/wp\/v2\/media\/35809"}],"wp:attachment":[{"href":"https:\/\/nsfocusglobal.com\/pt-br\/wp-json\/wp\/v2\/media?parent=7641"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nsfocusglobal.com\/pt-br\/wp-json\/wp\/v2\/categories?post=7641"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nsfocusglobal.com\/pt-br\/wp-json\/wp\/v2\/tags?post=7641"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}