• An internal host appears to be taking part in a Denial- of-Service (DoS) campaign on an external IP address
  • The form of DoS detection has two types: “SYN Flood” and “Slowloris”

Possible Root Causes

  • The internal host is infected and has become part of a botnet and is being instructed by its bot herder to perform a DoS attack on an external system, which is a relatively common way for a botnet to make money
  • An internal host is misconfigured and continually, in high volume, tries to connect to an external IP address

Business Impact

  • Botnet activity presents several risks to the organization: (1) it creates noise which may hide more serious issues; (2) there is a chance your organization’s IP will end up on black lists; and (3) the compromised host can always be instructed to perform a direct attack on the organization
  • The sheer volume of flood attacks may materially affect the amount of bandwidth available for legitimate functions which need to access the Internet

Steps to Investigate

  • Explore if there is a legitimate reason for the host to be connecting to the suspected victim of the attack
  • Contact the user of the host to see whether they are trying to perform some unusual task which might trigger the DoS detection
  • Check the host for presence of malware that is participating in a DoS attack