Skip to main content
Version: 6.2

Network Security

Access

Brute Force Access Attempt (CLI)

An anomalously high number of failed connection attempts were observed to common remote CLI ports (SSH, telnet, etc.). This can indicate a brute force login attack.

AttributeDescription
Job for CODEXelastiflow_codex_netsec_brute_force_cli
Job for ECSelastiflow_ecs_netsec_brute_force_cli
Analysis Typepopulation
Required Dataclient IP & port, server IP & port
MITRE ATT&CK TechniqueBrute Force (T1110)
MITRE ATT&CK Sub-TechniquePassword Guessing (T1110.001)
MITRE ATT&CK TacticCredential Access (TA0006)

Activity

Rare Client-Side Autonomous System

This anomaly detector identifies client-side traffic to/from a rare autonomous system. Rarely occuring network traffic can indicate recent malicious activity, such as malware exfiltrating data or communicating with a command & control server. While such traffic doesn't directly indicate malicious activity, it should be further investigated.

AttributeDescription
Job for CODEXelastiflow_codex_netsec_rare_asn_client
Job for ECSelastiflow_ecs_netsec_rare_asn_client
Analysis Typetemporal
Required Dataclient AS, layer-4 session establishment

Rare Server-Side Autonomous System

This anomaly detector identifies server-side traffic to/from a rare autonomous system. Rarely occuring network traffic can indicate recent malicious activity, such as malware exfiltrating data or communicating with a command & control server. While such traffic doesn't directly indicate malicious activity, it should be further investigated.

AttributeDescription
Job for CODEXelastiflow_codex_netsec_rare_asn_server
Job for ECSelastiflow_ecs_netsec_rare_asn_server
Analysis Typetemporal
Required Dataserver AS, layer-4 session establishment

Rare Conversation (inbound)

This anomaly detector identifies rare inbound (public to private) conversations. Rarely occuring network traffic can indicate recent malicious activity, such as malware exfiltrating data or communicating with a command & control server. While such traffic doesn't directly indicate malicious activity, it should be further investigated.

AttributeDescription
Job for CODEXelastiflow_codex_netsec_rare_conversation_inbound
Job for ECSelastiflow_ecs_netsec_rare_conversation_inbound
Analysis Typetemporal
Required Dataconversation ID, client AS, server AS, layer-4 session establishment

Rare Conversation (outbound)

This anomaly detector identifies rare outbound (private to public) conversations. Rarely occuring network traffic can indicate recent malicious activity, such as malware exfiltrating data or communicating with a command & control server. While such traffic doesn't directly indicate malicious activity, it should be further investigated.

AttributeDescription
Job for CODEXelastiflow_codex_netsec_rare_conversation_outbound
Job for ECSelastiflow_ecs_netsec_rare_conversation_outbound
Analysis Typetemporal
Required Dataconversation ID, client AS, server AS, layer-4 session establishment

Rare Conversation (private)

This anomaly detector identifies rare private conversations. Rarely occuring network traffic can indicate recent malicious activity, such as malware exfiltrating data or communicating with a command & control server. While such traffic doesn't directly indicate malicious activity, it should be further investigated.

AttributeDescription
Job for CODEXelastiflow_codex_netsec_rare_conversation_private
Job for ECSelastiflow_ecs_netsec_rare_conversation_private
Analysis Typetemporal
Required Dataconversation ID, client AS, server AS, layer-4 session establishment

Amplification Attacks

Generic DDoS Attack (UDP Amplification)

This DDoS attack is a reflection-based volumetric distributed denial-of-service (DDoS) attack in which an attacker leverages the functionality of open UDP services in order to overwhelm a target server or network with an amplified amount of traffic, rendering the server and its surrounding infrastructure inaccessible.

AttributeDescription
Job for CODEXelastiflow_codex_netsec_ddos_generic_udp_amplification
Job for ECSelastiflow_ecs_netsec_ddos_generic_udp_amplification
Analysis Typetemporal
Required Datasource IP, port & AS, destination IP, layer-4 protocol
MITRE ATT&CK TechniqueNetwork Denial of Service (T1498)
MITRE ATT&CK Sub-TechniqueReflection Amplification (T1498.002)
MITRE ATT&CK TacticImpact (TA0040)

CHARGEN Amplification Attack

This DDoS attack is a reflection-based volumetric distributed denial-of-service (DDoS) attack in which an attacker leverages the functionality of open Character Generator Protocol (CHARGEN) services in order to overwhelm a target server or network with an amplified amount of traffic, rendering the server and its surrounding infrastructure inaccessible.

AttributeDescription
Job for CODEXelastiflow_codex_netsec_chargen_amplification
Job for ECSelastiflow_ecs_netsec_chargen_amplification
Analysis Typetemporal
Required Datasource IP, port & AS, destination IP, layer-4 protocol
MITRE ATT&CK TechniqueNetwork Denial of Service (T1498)
MITRE ATT&CK Sub-TechniqueReflection Amplification (T1498.002)
MITRE ATT&CK TacticImpact (TA0040)

DNS Amplification Attack

This DDoS attack is a reflection-based volumetric distributed denial-of-service (DDoS) attack in which an attacker leverages the functionality of open DNS resolvers in order to overwhelm a target server or network with an amplified amount of traffic, rendering the server and its surrounding infrastructure inaccessible.

AttributeDescription
Job for CODEXelastiflow_codex_netsec_dns_amplification
Job for ECSelastiflow_ecs_netsec_dns_amplification
Analysis Typetemporal
Required Datasource IP, port & AS, destination IP, layer-4 protocol
MITRE ATT&CK TechniqueNetwork Denial of Service (T1498)
MITRE ATT&CK Sub-TechniqueReflection Amplification (T1498.002)
MITRE ATT&CK TacticImpact (TA0040)

Kad Amplification Attack

This DDoS attack is a reflection-based volumetric distributed denial-of-service (DDoS) attack in which an attacker leverages the functionality of open Kademlia DHT peers in order to overwhelm a target server or network with an amplified amount of traffic, rendering the server and its surrounding infrastructure inaccessible.

AttributeDescription
Job for CODEXelastiflow_codex_netsec_kad_amplification
Job for ECSelastiflow_ecs_netsec_kad_amplification
Analysis Typetemporal
Required Datasource IP, port & AS, destination IP, layer-4 protocol
MITRE ATT&CK TechniqueNetwork Denial of Service (T1498)
MITRE ATT&CK Sub-TechniqueReflection Amplification (T1498.002)
MITRE ATT&CK TacticImpact (TA0040)

LDAP Amplification Attack

This DDoS attack is a reflection-based volumetric distributed denial-of-service (DDoS) attack in which an attacker leverages the functionality of open LDAP servers in order to overwhelm a target server or network with an amplified amount of traffic, rendering the server and its surrounding infrastructure inaccessible.

AttributeDescription
Job for CODEXelastiflow_codex_netsec_ldap_amplification
Job for ECSelastiflow_ecs_netsec_ldap_amplification
Analysis Typetemporal
Required Datasource IP, port & AS, destination IP, layer-4 protocol
MITRE ATT&CK TechniqueNetwork Denial of Service (T1498)
MITRE ATT&CK Sub-TechniqueReflection Amplification (T1498.002)
MITRE ATT&CK TacticImpact (TA0040)

mDNS Amplification Attack

This DDoS attack is a reflection-based volumetric distributed denial-of-service (DDoS) attack in which an attacker leverages the functionality of open mDNS resolvers in order to overwhelm a target server or network with an amplified amount of traffic, rendering the server and its surrounding infrastructure inaccessible.

AttributeDescription
Job for CODEXelastiflow_codex_netsec_mdns_amplification
Job for ECSelastiflow_ecs_netsec_mdns_amplification
Analysis Typetemporal
Required Datasource IP, port & AS, destination IP, layer-4 protocol
MITRE ATT&CK TechniqueNetwork Denial of Service (T1498)
MITRE ATT&CK Sub-TechniqueReflection Amplification (T1498.002)
MITRE ATT&CK TacticImpact (TA0040)

Memcached Amplification Attack

This DDoS attack is a reflection-based volumetric distributed denial-of-service (DDoS) attack in which an attacker leverages the functionality of open Memcached servers in order to overwhelm a target server or network with an amplified amount of traffic, rendering the server and its surrounding infrastructure inaccessible.

AttributeDescription
Job for CODEXelastiflow_codex_netsec_memcached_amplification
Job for ECSelastiflow_ecs_netsec_memcached_amplification
Analysis Typetemporal
Required Datasource IP, port & AS, destination IP, layer-4 protocol
MITRE ATT&CK TechniqueNetwork Denial of Service (T1498)
MITRE ATT&CK Sub-TechniqueReflection Amplification (T1498.002)
MITRE ATT&CK TacticImpact (TA0040)

MSSQL Amplification Attack

This DDoS attack is a reflection-based volumetric distributed denial-of-service (DDoS) attack in which an attacker leverages the functionality of open MSSQL servers in order to overwhelm a target server or network with an amplified amount of traffic, rendering the server and its surrounding infrastructure inaccessible.

AttributeDescription
Job for CODEXelastiflow_codex_netsec_mssql_amplification
Job for ECSelastiflow_ecs_netsec_mssql_amplification
Analysis Typetemporal
Required Datasource IP, port & AS, destination IP, layer-4 protocol
MITRE ATT&CK TechniqueNetwork Denial of Service (T1498)
MITRE ATT&CK Sub-TechniqueReflection Amplification (T1498.002)
MITRE ATT&CK TacticImpact (TA0040)

NETBIOS Amplification Attack

This DDoS attack is a reflection-based volumetric distributed denial-of-service (DDoS) attack in which an attacker leverages the functionality of open NETBIOS services in order to overwhelm a target server or network with an amplified amount of traffic, rendering the server and its surrounding infrastructure inaccessible.

AttributeDescription
Job for CODEXelastiflow_codex_netsec_netbios_amplification
Job for ECSelastiflow_ecs_netsec_netbios_amplification
Analysis Typetemporal
Required Datasource IP, port & AS, destination IP, layer-4 protocol
MITRE ATT&CK TechniqueNetwork Denial of Service (T1498)
MITRE ATT&CK Sub-TechniqueReflection Amplification (T1498.002)
MITRE ATT&CK TacticImpact (TA0040)

NTP Amplification Attack

This DDoS attack is a reflection-based volumetric distributed denial-of-service (DDoS) attack in which an attacker leverages the functionality of open NTP services in order to overwhelm a target server or network with an amplified amount of traffic, rendering the server and its surrounding infrastructure inaccessible.

AttributeDescription
Job for CODEXelastiflow_codex_netsec_ntp_amplification
Job for ECSelastiflow_ecs_netsec_ntp_amplification
Analysis Typetemporal
Required Datasource IP, port & AS, destination IP, layer-4 protocol
MITRE ATT&CK TechniqueNetwork Denial of Service (T1498)
MITRE ATT&CK Sub-TechniqueReflection Amplification (T1498.002)
MITRE ATT&CK TacticImpact (TA0040)

QOTD Amplification Attack

This DDoS attack is a reflection-based volumetric distributed denial-of-service (DDoS) attack in which an attacker leverages the functionality of open Quote of the Day (QOTD) services in order to overwhelm a target server or network with an amplified amount of traffic, rendering the server and its surrounding infrastructure inaccessible.

AttributeDescription
Job for CODEXelastiflow_codex_netsec_qotd_amplification
Job for ECSelastiflow_ecs_netsec_qotd_amplification
Analysis Typetemporal
Required Datasource IP, port & AS, destination IP, layer-4 protocol
MITRE ATT&CK TechniqueNetwork Denial of Service (T1498)
MITRE ATT&CK Sub-TechniqueReflection Amplification (T1498.002)
MITRE ATT&CK TacticImpact (TA0040)

Quake Amplification Attack

This DDoS attack is a reflection-based volumetric distributed denial-of-service (DDoS) attack in which an attacker leverages the functionality of open Quake services in order to overwhelm a target server or network with an amplified amount of traffic, rendering the server and its surrounding infrastructure inaccessible.

AttributeDescription
Job for CODEXelastiflow_codex_netsec_quake_amplification
Job for ECSelastiflow_ecs_netsec_quake_amplification
Analysis Typetemporal
Required Datasource IP, port & AS, destination IP, layer-4 protocol
MITRE ATT&CK TechniqueNetwork Denial of Service (T1498)
MITRE ATT&CK Sub-TechniqueReflection Amplification (T1498.002)
MITRE ATT&CK TacticImpact (TA0040)

RADIUS Amplification Attack

This DDoS attack is a reflection-based volumetric distributed denial-of-service (DDoS) attack in which an attacker leverages the functionality of open RADIUS services in order to overwhelm a target server or network with an amplified amount of traffic, rendering the server and its surrounding infrastructure inaccessible.

AttributeDescription
Job for CODEXelastiflow_codex_netsec_radius_amplification
Job for ECSelastiflow_ecs_netsec_radius_amplification
Analysis Typetemporal
Required Datasource IP, port & AS, destination IP, layer-4 protocol
MITRE ATT&CK TechniqueNetwork Denial of Service (T1498)
MITRE ATT&CK Sub-TechniqueReflection Amplification (T1498.002)
MITRE ATT&CK TacticImpact (TA0040)

RIP Amplification Attack

This DDoS attack is a reflection-based volumetric distributed denial-of-service (DDoS) attack in which an attacker leverages the functionality of open Routing Information Protocol (RIP) enabled routers in order to overwhelm a target server or network with an amplified amount of traffic, rendering the server and its surrounding infrastructure inaccessible.

AttributeDescription
Job for CODEXelastiflow_codex_netsec_rip_amplification
Job for ECSelastiflow_ecs_netsec_rip_amplification
Analysis Typetemporal
Required Datasource IP, port & AS, destination IP, layer-4 protocol
MITRE ATT&CK TechniqueNetwork Denial of Service (T1498)
MITRE ATT&CK Sub-TechniqueReflection Amplification (T1498.002)
MITRE ATT&CK TacticImpact (TA0040)

RPC Amplification Attack

This DDoS attack is a reflection-based volumetric distributed denial-of-service (DDoS) attack in which an attacker leverages the functionality of open Remote Procedure Call (RPC) services in order to overwhelm a target server or network with an amplified amount of traffic, rendering the server and its surrounding infrastructure inaccessible.

AttributeDescription
Job for CODEXelastiflow_codex_netsec_rpc_amplification
Job for ECSelastiflow_ecs_netsec_rpc_amplification
Analysis Typetemporal
Required Datasource IP, port & AS, destination IP, layer-4 protocol
MITRE ATT&CK TechniqueNetwork Denial of Service (T1498)
MITRE ATT&CK Sub-TechniqueReflection Amplification (T1498.002)
MITRE ATT&CK TacticImpact (TA0040)

Sentinel SPSS Amplification Attack

This DDoS attack is a reflection-based volumetric distributed denial-of-service (DDoS) attack in which an attacker leverages the functionality of open SPSS (Sentinel RMS) License Manager services in order to overwhelm a target server or network with an amplified amount of traffic, rendering the server and its surrounding infrastructure inaccessible.

AttributeDescription
Job for CODEXelastiflow_codex_netsec_sentinel_spss_amplification
Job for ECSelastiflow_ecs_netsec_sentinel_spss_amplification
Analysis Typetemporal
Required Datasource IP, port & AS, destination IP, layer-4 protocol
MITRE ATT&CK TechniqueNetwork Denial of Service (T1498)
MITRE ATT&CK Sub-TechniqueReflection Amplification (T1498.002)
MITRE ATT&CK TacticImpact (TA0040)

SNMP Amplification Attack

This DDoS attack is a reflection-based volumetric distributed denial-of-service (DDoS) attack in which an attacker leverages the functionality of open SNMP services in order to overwhelm a target server or network with an amplified amount of traffic, rendering the server and its surrounding infrastructure inaccessible.

AttributeDescription
Job for CODEXelastiflow_codex_netsec_snmp_amplification
Job for ECSelastiflow_ecs_netsec_snmp_amplification
Analysis Typetemporal
Required Datasource IP, port & AS, destination IP, layer-4 protocol
MITRE ATT&CK TechniqueNetwork Denial of Service (T1498)
MITRE ATT&CK Sub-TechniqueReflection Amplification (T1498.002)
MITRE ATT&CK TacticImpact (TA0040)

SSDP Amplification Attack

This DDoS attack is a reflection-based volumetric distributed denial-of-service (DDoS) attack in which an attacker leverages the functionality of open SSDP services in order to overwhelm a target server or network with an amplified amount of traffic, rendering the server and its surrounding infrastructure inaccessible.

AttributeDescription
Job for CODEXelastiflow_codex_netsec_ssdp_amplification
Job for ECSelastiflow_ecs_netsec_ssdp_amplification
Analysis Typetemporal
Required Datasource IP, port & AS, destination IP, layer-4 protocol
MITRE ATT&CK TechniqueNetwork Denial of Service (T1498)
MITRE ATT&CK Sub-TechniqueReflection Amplification (T1498.002)
MITRE ATT&CK TacticImpact (TA0040)

Steam Amplification Attack

This DDoS attack is a reflection-based volumetric distributed denial-of-service (DDoS) attack in which an attacker leverages the functionality of open Steam services in order to overwhelm a target server or network with an amplified amount of traffic, rendering the server and its surrounding infrastructure inaccessible.

AttributeDescription
Job for CODEXelastiflow_codex_netsec_steam_amplification
Job for ECSelastiflow_ecs_netsec_steam_amplification
Analysis Typetemporal
Required Datasource IP, port & AS, destination IP, layer-4 protocol
MITRE ATT&CK TechniqueNetwork Denial of Service (T1498)
MITRE ATT&CK Sub-TechniqueReflection Amplification (T1498.002)
MITRE ATT&CK TacticImpact (TA0040)

TFTP Amplification Attack

This DDoS attack is a reflection-based volumetric distributed denial-of-service (DDoS) attack in which an attacker leverages the functionality of open Trivial File Transfer Protocol (TFTP) services in order to overwhelm a target server or network with an amplified amount of traffic, rendering the server and its surrounding infrastructure inaccessible.

AttributeDescription
Job for CODEXelastiflow_codex_netsec_tftp_amplification
Job for ECSelastiflow_ecs_netsec_tftp_amplification
Analysis Typetemporal
Required Datasource IP, port & AS, destination IP, layer-4 protocol
MITRE ATT&CK TechniqueNetwork Denial of Service (T1498)
MITRE ATT&CK Sub-TechniqueReflection Amplification (T1498.002)
MITRE ATT&CK TacticImpact (TA0040)

WSD Amplification Attack

This DDoS attack is a reflection-based volumetric distributed denial-of-service (DDoS) attack in which an attacker leverages the functionality of open Web Services for Devices (WSD) services in order to overwhelm a target server or network with an amplified amount of traffic, rendering the server and its surrounding infrastructure inaccessible.

AttributeDescription
Job for CODEXelastiflow_codex_netsec_wsd_amplification
Job for ECSelastiflow_ecs_netsec_wsd_amplification
Analysis Typetemporal
Required Datasource IP, port & AS, destination IP, layer-4 protocol
MITRE ATT&CK TechniqueNetwork Denial of Service (T1498)
MITRE ATT&CK Sub-TechniqueReflection Amplification (T1498.002)
MITRE ATT&CK TacticImpact (TA0040)

Data Exfiltration

DNS Exfiltration

COMING SOON!

Flood Attacks

Generic DDoS Attack (TCP)

A Distributed Denial of Service (DDoS) attempts to make a service unavailable by directly sending a high-volume of TCP traffic from multiple sources to the targeted TCP listener.

AttributeDescription
Job for CODEXelastiflow_codex_netsec_ddos_generic_tcp
Job for ECSelastiflow_ecs_netsec_ddos_generic_tcp
Analysis Typetemporal
Required Dataclient IP & AS, server IP & port, layer-4 protocol
MITRE ATT&CK TechniqueNetwork Denial of Service (T1498)
MITRE ATT&CK Sub-TechniqueDirect Network Flood (T1498.001)
MITRE ATT&CK TacticImpact (TA0040)

ICMP Flood DDoS Attack

An ICMP flood is a denial-of-service attack in which the attacker attempts to overwhelm a targeted device with ICMP echo-request packets, causing the target to become inaccessible to normal traffic. When the attack traffic comes from multiple devices, the attack becomes a DDoS or distributed denial-of-service attack.

AttributeDescription
Job for CODEXelastiflow_codex_netsec_icmp_flood_ddos
Job for ECSelastiflow_ecs_netsec_icmp_flood_ddos
Analysis Typetemporal
Required Datasource IP & AS, destination IP, layer-4 protocol
RestrictionsApplies only to Netflow and IPFIX flow records.
MITRE ATT&CK TechniqueNetwork Denial of Service (T1498)
MITRE ATT&CK Sub-TechniqueDirect Network Flood (T1498.001)
MITRE ATT&CK TacticImpact (TA0040)

ICMP Flood Direct Attack

A ICMP flood is a denial-of-service attack in which the attacker attempts to overwhelm a targeted device with ICMP echo-request packets, causing the target to become inaccessible to normal traffic.

AttributeDescription
Job for CODEXelastiflow_codex_netsec_icmp_flood_direct
Job for ECSelastiflow_ecs_netsec_icmp_flood_direct
Analysis Typepopulation
Required Datasource IP & AS, destination IP, layer-4 protocol
RestrictionsApplies only to Netflow and IPFIX flow records.
MITRE ATT&CK TechniqueNetwork Denial of Service (T1498)
MITRE ATT&CK Sub-TechniqueDirect Network Flood (T1498.001)
MITRE ATT&CK TacticImpact (TA0040)

SYN Flood DDoS Attack

A SYN flood (half-open attack) DDoS attack is a type of denial-of-service (DDoS) attack in which multiple sources are used with the aim of making a server unavailable to legitimate traffic by consuming all available server resources. By repeatedly sending initial connection request (SYN) packets, the attacker is able to overwhelm all available ports on a targeted server machine, causing the targeted device to respond to legitimate traffic sluggishly or not at all.

AttributeDescription
Job for CODEXelastiflow_codex_netsec_syn_flood_ddos
Job for ECSelastiflow_ecs_netsec_syn_flood_ddos
Analysis Typetemporal
Required Dataclient IP & AS, server IP & port, TCP flags
RestrictionsApplies only to Netflow and IPFIX flow records.
MITRE ATT&CK TechniqueNetwork Denial of Service (T1498)
MITRE ATT&CK Sub-TechniqueDirect Network Flood (T1498.001)
MITRE ATT&CK TacticImpact (TA0040)

SYN Flood Direct Attack

A SYN flood (half-open attack) direct attack is a type of denial-of-service (DDoS) attack in which a single source aims to make a server unavailable to legitimate traffic by consuming all available server resources. By repeatedly sending initial connection request (SYN) packets, the attacker is able to overwhelm all available ports on a targeted server machine, causing the targeted device to respond to legitimate traffic sluggishly or not at all.

AttributeDescription
Job for CODEXelastiflow_codex_netsec_syn_flood_direct
Job for ECSelastiflow_ecs_netsec_syn_flood_direct
Analysis Typepopulation
Required Dataclient IP & AS, server IP & port, TCP flags
RestrictionsApplies only to Netflow and IPFIX flow records.
MITRE ATT&CK TechniqueNetwork Denial of Service (T1498)
MITRE ATT&CK Sub-TechniqueDirect Network Flood (T1498.001)
MITRE ATT&CK TacticImpact (TA0040)

Reconnaissance

Port Scan (fast)

A client accessed an anomalously high number of server ports, over a short period of time, compared to other clients. This can indicate port scanning activity, a reconnaissance method used by malicious actors to find vulnerable systems.

AttributeDescription
Job for CODEXelastiflow_codex_netsec_port_scan_fast
Job for ECSelastiflow_ecs_netsec_port_scan_fast
Analysis Typepopulation
Required Dataclient IP & AS, server IP & port
MITRE ATT&CK TechniqueNetwork Service Scanning (T1046)
MITRE ATT&CK TacticDiscovery (TA0007)

Port Scan (slow)

A client accessed an anomalously high number of server ports over a long period of time, compared to other clients. This can indicate port scanning activity, a reconnaissance method used by malicious actors to find vulnerable systems.

AttributeDescription
Job for CODEXelastiflow_codex_netsec_port_scan_slow
Job for ECSelastiflow_ecs_netsec_port_scan_slow
Analysis Typepopulation
Required Dataclient IP & AS, server IP & port
MITRE ATT&CK TechniqueNetwork Service Scanning (T1046)
MITRE ATT&CK TacticDiscovery (TA0007)