Outbound DoS

Outbound DoS

Signs of Outbound DoS

  • An internal host appears to be taking part in a Denial- of-Service (DoS) campaign on an external IP address
  • The form of DoS detection has two types: “SYN Flood” and “Slowloris”
  • The threat score is driven by the volume of data sent in the detected DoS sessions
  • The certainty score is driven by the volume of DoS sessions and the length of period the attack is sustained

Why Attackers Use DoS

  • The internal host is infected and has become part of a botnet and is being instructed by its bot herder to perform a DoS attack on an external system, which is a relatively common way for a botnet to make money
  • An internal host is misconfigured and continually, in high volume, tries to connect to an external IP address

Business Impact of an Outbound DoS

  • Botnet activity presents several risks to the organization: (1) it creates noise which may hide more serious issues; (2) there is a chance your organization’s IP will end up on black lists; and (3) the compromised host can always be instructed to perform a direct attack on the organization
  • The sheer volume of flood attacks may materially affect the amount of bandwidth available for legitimate functions which need to access the Internet

How to Investigate Outbound DoS

  1. Explore if there is a legitimate reason for the host to be connecting to the suspected victim of the attack
  2. Contact the user of the host to see whether they are trying to perform some unusual task which might trigger the DoS detection
  3. Check the host for presence of malware that is participating in a DoS attack

White Paper

Understanding Vectra AI

Vectra AI is a leading AI-driven threat detection and response platform. It uses machine learning to analyze network traffic and other data to identify and prioritize real threats.

This document provides a comprehensive guide to Vectra detections, including:

  • What Vectra detections are and how they work
  • Specific detections that Vectra can identify
  • How to interpret and respond to Vectra detections