Hunting
Statistics → Conversations → IPv4
Statistics → Endpoints → IPv4
Statistics → Protocol Hierarchy
Statistics → IO Graph
Goal
- Confuse attribution
- Pollute logs
- Appear distributed
Red flags
- Multiple source IPs targeting same host
- Identical TTL values across “different” IPs
- Identical TCP window sizes
- Same TCP options
- Same port timing pattern
Defense
Have our IDS/IPS/Firewall act as the destination host would- In the sense that reconstructing the packets gives a clear indication of malicious activity.Watch for connections started by one host, and taken over by another- The attacker after all has to reveal their true source address in order to see that a port is open. This is strange behavior and we can define our rules to prevent it.
Filters
# Many sources → one destination
tcp.flags.syn == 1 && tcp.flags.ack == 0
# Check identical TCP fingerprints
tcp.flags.syn == 1