How to Trace a DDoS Attack

A distributed denial of service (DDoS) attack prevents a website from functioning properly by flooding the targeted network or server with an overwhelming number of requests. The intention of the attacker behind these attacks is to prevent legitimate users from accessing the targeted website and servers.

What do you do if you find yourself under a DDoS attack?

The first step is to find the source of the DDoS attack. Not only is this important to understand who is behind it, but also to stop the attack. The fact that this assault targets numerous systems, including application servers, nameservers, and routers, raise the stakes further.

In this article, we’ll break down how to trace a DDoS attack and share some common mistakes to avoid while doing it.

1. Take Remedial Action Within the First 5 Minutes

The first five minutes when you find yourself under a DDoS attack is highly critical.

You have to take remedial steps to minimize the damage in real-time and get your website back online. First of all, use an IPS tool to filter out bad traffic at the edge and push the attack back upstream to enable your website to operate normally. This device can also trace the direct attackers (the infected bots) that launched the malicious packets at your system. 

However, you have to go deeper since these decoys are just the first layer of the attack.

Many botnet operators use IP addresses sourced from the darknet (i.e the unused IP addresses space held by ISPs) to make DDoS attacks more untraceable. So when you try to trace the attack back, you’ll only find the hijacked addresses and not the attacker behind them.

While you do this, always remember your priority isn’t to identify the cybercriminals—but to end the attack. Focus on filtering out the malicious traffic and work with other ISPs to identify whether the attack is spoofed or originates from another provider or a third party. Follow this up by blocking the botnets generating the traffic.

Alternatively, you can redirect traffic to a CDN (Content Delivery Network) and use a web application protection service to minimize the intensity of the attack. In case of large-scale suspicious DDoS traffic, you can use a WAF and an AI deep learning WAF.

2. Trace the Bots and Controllers Behind the DDoS Attack Within the First Hour

At this stage, the attacking packets are blocked and the targeted server or website is recovering. Next, you want to trace the command and control infrastructure behind the DDoS-attacking botnet.

A major challenge here is tracing back a botnet. This can take a lot of time and energy, which is something you don’t have in this critical time. Therefore, your best approach here is to IP traceback specific packets (or sequences of packets) coming in.

Here’s how to go about it:

  • Trace the bot’s IP and operating system
  • Track its geolocation, which could be anywhere in the world
  • Identify the backbone network providers of the bot
  • Reach out to them and make them stop

The above steps are feasible when you are tracking one or two bots. But tracking an entire botnet that can have over 30,000-35,000 infected bots isn’t.

So what do you do next? The DDoS attacker often uses one or more controllers or proxies to hide behind the botnet. That’s where you strike.

Attackers use these machines to send obfuscated or encrypted messages to these controllers. Go after them to trace the main source of the attack and contact the owners and ISPs to block these machines. Admittedly, this is more challenging than IP traceback, but it’s also far more efficient.

3. Use Forensics to Help You Investigate the DDoS Attack

Forensics use trace evidence to reconstruct the DDoS attack from the beginning to the end. But before that, they’ll actually need the evidence, which you’ll collect and provide by going as deep as possible into the affected network or server.

While the cybercriminals behind other DDoS attacks are masters at hiding and creating smokescreens to protect their true identity, they often make mistakes—something you can leverage to find valuable intelligence.

You want to understand the following when investigating the attack:

  • What is the motivation behind launching the attack? This will help you build a criminal profile and understand brother attacker is after money, power, or control.
  • Was the attacker only trying to open a backdoor or steal your data?
  • Carrying out a DDoS attack involves a lot of resources. Where do you think the attacker is getting them from?
  • Did the attacker use a DDoS Booter or a Botnet as a Service? Perhaps someone internally made a DNS request to one of these services? Look into it.
  • Can you identify whether the attacker was using any similar stress testing tools? (Hping, LOIC)
  • Is it possible to follow a payment trail for the DDoS attack?

Try to look at the attack from different angles to determine the real objective of the attack.

Common Problems When Tracing a DDoS Attack

In this section, we’ll take a look at the common mistakes made by victims of DDoS services. 

Not Familiarizing Themselves With the Signs of a DDoS Attack

Not many IT professionals realize they can detect a DDoS attack at the very beginning by familiarizing themselves with the many indirect signs. Here is a list of some of the more common DDoS Attack attack signs:

  • A rapid increase in incoming traffic on one or more ports
  • Server software and OS failing frequently and hanging—sometimes, even shutting down incorrectly
  • A sharp increase in load on your server’s hardware capacity, which differs significantly from the average daily indicators
  • Seeing multiple duplicated actions of the same type on the same resource
  • Detecting several requests of the same type from different sources to the same port or service

The greater your knowledge of the signs of DDoS attacks, the faster you can identify and take the necessary measures to limit its adverse effects. You don’t need deep, in-depth knowledge of DDoS attacks, but it’s good to have a fair idea of the common indications (both direct and indirect). 

Not Changing the Server IP or Calling Your Internet Service Provider (ISP)

When you’re under a full-scale DDoS attack, make sure you immediately change the server IP and DNS name to minimize the damage and stop the attack in its tracks. In case you find the attacker still being vigilant, start directing traffic to your new IP address. If even that fails, don’t hesitate to call your ISP and ask that to block or re-route the malicious traffic.

Failing to Monitor Attack Progression

Throughout the attack, you should continually monitor its progression to see how it develops over time. This can also help you collect the intelligence necessary to help forensics recreate the attack later.

Here are a few key questions you should use to try and assess the attack:

  • What kind of DDoS attack is it (application-layer attack, network-level flood)?
  • Can you outline the key characteristics of the attack?
  • How large is the scope of the attack (both in terms of packets-per-second and bits-per-second)?
  • Is the attack coming from a single IP source or multiple sources? Is it possible for you to identify them?
  • How would you describe the attack pattern (think: whether it’s a burst attack or a single sustained flood)? Does the attack involve a single protocol or multiple attack vectors?
  • Is the attacker focusing on the same target or are they changing their targets over time?

Finding out the answers to these questions will give you a better idea of the extent and intensity of the attack, plus figure out the right course of action to get your website or server back to normal faster.

Neglecting the DDoS Attack’s Architecture

You cannot trace a DDoS attack and identify who is behind it without studying the attack’s architecture.

As you now know, the basic anatomy of any DDoS attack is Attacker > Botnet > Victim. A botnet is a network of instruction-following bots. Without it, the attacker is just a DoS, which is a much weaker and easier-to-stop form of cyber assault, plus it’s also easier to trace.

Adding a botnet into the picture boosts the attack’s efficiency and power while also concealing the source. It’s possible that you may not be able to identify the source IP of these bots, but it’s still worth trying.

Final Thoughts

Tracing a DDoS attack that comes from thousands of infected machines turned into “zombie“ bots isn’t an easy feat. But using a few popular tools, such as reverse engineering, mitigation, and forensics, can give you an upper hand, helping minimize the damage from these attacks and getting your system and server functioning like normal.

We hope this article helps you strategize and create an effective action plan to trace a DDoS attack. Nevertheless, the best course of action is to practice precaution and implement measures and systems to prevent a DDoS attack from occurring in the first place.

Incredible companies use Nira

Every company that uses Google Workspace should be using Nira.
Bryan Wise
Bryan Wise,
Former VP of IT at GitLab

Incredible companies use Nira