/plushcap/analysis/cloudflare/ddos-packet-forensics-take-me-to-the-hex

DDoS Packet Forensics: Take me to the hex!

What's this blog post about?

John Graham-Cumming and his colleague Marek discovered a DDoS attack against one of their DNS servers, with the source IP address being spoofed. They noticed a correlation between the TTL field in the IP header and the IPv4 source address. The 'random' source port was found to be the first two bytes of the random IP source address reversed. A relationship between the TTL and the first byte of the IP address was also established, as well as one between the DNS ID field and the first two bytes of the source IP. However, the method by which the random source IPs are generated remains a mystery.

Company
Cloudflare

Date published
Jan. 6, 2015

Author(s)
John Graham-Cumming

Word count
666

Language
English

Hacker News points
None found.


By Matt Makai. 2021-2024.