Lately, RSA FirstWatch has seen an increase in malware samples that engage in Webflood DDoS attacks. A DDoS attack against a webserver is easy to see but hard to detect. That is, its network behavior can’t be unique enough to help you in filtering it out in the future in order to look for new and unknown intelligence. However, it’s not always the case as malware authors introduce some indicators that can make your task as an investigator easier as explained in this post.
One of our Security Analytics reports look for hostnames that are involved in web traffic in our sandbox environment. That report is tuned to filter out ad servers and exe downloaders in order to focus on identifying new patterns. Investigating the top result of today’s report showed us a large number of HTTP sessions between the same source IP address and the destination hostname. That could be a sign of webflood DDoS attack but can we confirm that? And more importantly, can we spot a pattern?
In RSA Security Analytics, you can refocus your investigation on a certain meta value to find out all the network traffic associated with that value of interest.
In the screenshot below, you can see that the source IP address was involved in malicious and suspicious network behavior. You can also see a large number of HTTP sessions.
Looking only at those HTTP sessions, we recognized a pattern that can help identifying this kind of webflood DDoS attacks in the future. The malware author decided to use very long and dynamically generated user names in the HTTP requests.
You could create a rule and call it for example DDoS Username Length Flood. Alert it to your Alerts field or Risk.Suspicious. The contents would be:
username length 40-u
VirusTotal has a very poor detection rate for the sample examined in this post.