Triggers
- An internal host appears to be taking part in a Denial- of-Service (DoS) campaign on an external IP address
- The form of DoS detection has two types: “SYN Flood” and “Slowloris”
Possible Root Causes
- The internal host is infected and has become part of a botnet and is being instructed by its bot herder to perform a DoS attack on an external system, which is a relatively common way for a botnet to make money
- An internal host is misconfigured and continually, in high volume, tries to connect to an external IP address
Business Impact
- Botnet activity presents several risks to the organization: (1) it creates noise which may hide more serious issues; (2) there is a chance your organization’s IP will end up on black lists; and (3) the compromised host can always be instructed to perform a direct attack on the organization
- The sheer volume of flood attacks may materially affect the amount of bandwidth available for legitimate functions which need to access the Internet
Steps to Investigate
- Explore if there is a legitimate reason for the host to be connecting to the suspected victim of the attack
- Contact the user of the host to see whether they are trying to perform some unusual task which might trigger the DoS detection
- Check the host for presence of malware that is participating in a DoS attack