Skip to main content

Network Security

Access#

Brute Force Access Attempt (CLI)#

An anomalously high number of failed connection attempts were observed to common remote CLI ports (SSH, telnet, etc.). This can indicate a brute force login attack.

AttributeDescription
Job for CODEXelastiflow_codex_netsec_brute_force_cli
Job for ECSelastiflow_ecs_netsec_brute_force_cli
Analysis Typepopulation
Required Dataclient IP & port, server IP & port
MITRE ATT&CK TechniqueBrute Force (T1110)
MITRE ATT&CK Sub-TechniquePassword Guessing (T1110.001)
MITRE ATT&CK TacticCredential Access (TA0006)

Activity#

Rare Client-Side Autonomous System#

This anomaly detector identifies client-side traffic to/from a rare autonomous system. Rarely occuring network traffic can indicate recent malicious activity, such as malware exfiltrating data or communicating with a command & control server. While such traffic doesn't directly indicate malicious activity, it should be further investigated.

AttributeDescription
Job for CODEXelastiflow_codex_netsec_rare_asn_client
Job for ECSelastiflow_ecs_netsec_rare_asn_client
Analysis Typetemporal
Required Dataclient AS, layer-4 session establishment

Rare Server-Side Autonomous System#

This anomaly detector identifies server-side traffic to/from a rare autonomous system. Rarely occuring network traffic can indicate recent malicious activity, such as malware exfiltrating data or communicating with a command & control server. While such traffic doesn't directly indicate malicious activity, it should be further investigated.

AttributeDescription
Job for CODEXelastiflow_codex_netsec_rare_asn_server
Job for ECSelastiflow_ecs_netsec_rare_asn_server
Analysis Typetemporal
Required Dataserver AS, layer-4 session establishment

Rare Conversation (inbound)#

This anomaly detector identifies rare inbound (public to private) conversations. Rarely occuring network traffic can indicate recent malicious activity, such as malware exfiltrating data or communicating with a command & control server. While such traffic doesn't directly indicate malicious activity, it should be further investigated.

AttributeDescription
Job for CODEXelastiflow_codex_netsec_rare_conversation_inbound
Job for ECSelastiflow_ecs_netsec_rare_conversation_inbound
Analysis Typetemporal
Required Dataconversation ID, client AS, server AS, layer-4 session establishment

Rare Conversation (outbound)#

This anomaly detector identifies rare outbound (private to public) conversations. Rarely occuring network traffic can indicate recent malicious activity, such as malware exfiltrating data or communicating with a command & control server. While such traffic doesn't directly indicate malicious activity, it should be further investigated.

AttributeDescription
Job for CODEXelastiflow_codex_netsec_rare_conversation_outbound
Job for ECSelastiflow_ecs_netsec_rare_conversation_outbound
Analysis Typetemporal
Required Dataconversation ID, client AS, server AS, layer-4 session establishment

Rare Conversation (private)#

This anomaly detector identifies rare private conversations. Rarely occuring network traffic can indicate recent malicious activity, such as malware exfiltrating data or communicating with a command & control server. While such traffic doesn't directly indicate malicious activity, it should be further investigated.

AttributeDescription
Job for CODEXelastiflow_codex_netsec_rare_conversation_private
Job for ECSelastiflow_ecs_netsec_rare_conversation_private
Analysis Typetemporal
Required Dataconversation ID, client AS, server AS, layer-4 session establishment

Amplification Attacks#

Generic DDoS Attack (UDP Amplification)#

This DDoS attack is a reflection-based volumetric distributed denial-of-service (DDoS) attack in which an attacker leverages the functionality of open UDP services in order to overwhelm a target server or network with an amplified amount of traffic, rendering the server and its surrounding infrastructure inaccessible.

AttributeDescription
Job for CODEXelastiflow_codex_netsec_ddos_generic_udp_amplification
Job for ECSelastiflow_ecs_netsec_ddos_generic_udp_amplification
Analysis Typetemporal
Required Datasource IP, port & AS, destination IP, layer-4 protocol
MITRE ATT&CK TechniqueNetwork Denial of Service (T1498)
MITRE ATT&CK Sub-TechniqueReflection Amplification (T1498.002)
MITRE ATT&CK TacticImpact (TA0040)

CHARGEN Amplification Attack#

This DDoS attack is a reflection-based volumetric distributed denial-of-service (DDoS) attack in which an attacker leverages the functionality of open Character Generator Protocol (CHARGEN) services in order to overwhelm a target server or network with an amplified amount of traffic, rendering the server and its surrounding infrastructure inaccessible.

AttributeDescription
Job for CODEXelastiflow_codex_netsec_chargen_amplification
Job for ECSelastiflow_ecs_netsec_chargen_amplification
Analysis Typetemporal
Required Datasource IP, port & AS, destination IP, layer-4 protocol
MITRE ATT&CK TechniqueNetwork Denial of Service (T1498)
MITRE ATT&CK Sub-TechniqueReflection Amplification (T1498.002)
MITRE ATT&CK TacticImpact (TA0040)

DNS Amplification Attack#

This DDoS attack is a reflection-based volumetric distributed denial-of-service (DDoS) attack in which an attacker leverages the functionality of open DNS resolvers in order to overwhelm a target server or network with an amplified amount of traffic, rendering the server and its surrounding infrastructure inaccessible.

AttributeDescription
Job for CODEXelastiflow_codex_netsec_dns_amplification
Job for ECSelastiflow_ecs_netsec_dns_amplification
Analysis Typetemporal
Required Datasource IP, port & AS, destination IP, layer-4 protocol
MITRE ATT&CK TechniqueNetwork Denial of Service (T1498)
MITRE ATT&CK Sub-TechniqueReflection Amplification (T1498.002)
MITRE ATT&CK TacticImpact (TA0040)

Kad Amplification Attack#

This DDoS attack is a reflection-based volumetric distributed denial-of-service (DDoS) attack in which an attacker leverages the functionality of open Kademlia DHT peers in order to overwhelm a target server or network with an amplified amount of traffic, rendering the server and its surrounding infrastructure inaccessible.

AttributeDescription
Job for CODEXelastiflow_codex_netsec_kad_amplification
Job for ECSelastiflow_ecs_netsec_kad_amplification
Analysis Typetemporal
Required Datasource IP, port & AS, destination IP, layer-4 protocol
MITRE ATT&CK TechniqueNetwork Denial of Service (T1498)
MITRE ATT&CK Sub-TechniqueReflection Amplification (T1498.002)
MITRE ATT&CK TacticImpact (TA0040)

LDAP Amplification Attack#

This DDoS attack is a reflection-based volumetric distributed denial-of-service (DDoS) attack in which an attacker leverages the functionality of open LDAP servers in order to overwhelm a target server or network with an amplified amount of traffic, rendering the server and its surrounding infrastructure inaccessible.

AttributeDescription
Job for CODEXelastiflow_codex_netsec_ldap_amplification
Job for ECSelastiflow_ecs_netsec_ldap_amplification
Analysis Typetemporal
Required Datasource IP, port & AS, destination IP, layer-4 protocol
MITRE ATT&CK TechniqueNetwork Denial of Service (T1498)
MITRE ATT&CK Sub-TechniqueReflection Amplification (T1498.002)
MITRE ATT&CK TacticImpact (TA0040)

mDNS Amplification Attack#

This DDoS attack is a reflection-based volumetric distributed denial-of-service (DDoS) attack in which an attacker leverages the functionality of open mDNS resolvers in order to overwhelm a target server or network with an amplified amount of traffic, rendering the server and its surrounding infrastructure inaccessible.

AttributeDescription
Job for CODEXelastiflow_codex_netsec_mdns_amplification
Job for ECSelastiflow_ecs_netsec_mdns_amplification
Analysis Typetemporal
Required Datasource IP, port & AS, destination IP, layer-4 protocol
MITRE ATT&CK TechniqueNetwork Denial of Service (T1498)
MITRE ATT&CK Sub-TechniqueReflection Amplification (T1498.002)
MITRE ATT&CK TacticImpact (TA0040)

Memcached Amplification Attack#

This DDoS attack is a reflection-based volumetric distributed denial-of-service (DDoS) attack in which an attacker leverages the functionality of open Memcached servers in order to overwhelm a target server or network with an amplified amount of traffic, rendering the server and its surrounding infrastructure inaccessible.

AttributeDescription
Job for CODEXelastiflow_codex_netsec_memcached_amplification
Job for ECSelastiflow_ecs_netsec_memcached_amplification
Analysis Typetemporal
Required Datasource IP, port & AS, destination IP, layer-4 protocol
MITRE ATT&CK TechniqueNetwork Denial of Service (T1498)
MITRE ATT&CK Sub-TechniqueReflection Amplification (T1498.002)
MITRE ATT&CK TacticImpact (TA0040)

MSSQL Amplification Attack#

This DDoS attack is a reflection-based volumetric distributed denial-of-service (DDoS) attack in which an attacker leverages the functionality of open MSSQL servers in order to overwhelm a target server or network with an amplified amount of traffic, rendering the server and its surrounding infrastructure inaccessible.

AttributeDescription
Job for CODEXelastiflow_codex_netsec_mssql_amplification
Job for ECSelastiflow_ecs_netsec_mssql_amplification
Analysis Typetemporal
Required Datasource IP, port & AS, destination IP, layer-4 protocol
MITRE ATT&CK TechniqueNetwork Denial of Service (T1498)
MITRE ATT&CK Sub-TechniqueReflection Amplification (T1498.002)
MITRE ATT&CK TacticImpact (TA0040)

NETBIOS Amplification Attack#

This DDoS attack is a reflection-based volumetric distributed denial-of-service (DDoS) attack in which an attacker leverages the functionality of open NETBIOS services in order to overwhelm a target server or network with an amplified amount of traffic, rendering the server and its surrounding infrastructure inaccessible.

AttributeDescription
Job for CODEXelastiflow_codex_netsec_netbios_amplification
Job for ECSelastiflow_ecs_netsec_netbios_amplification
Analysis Typetemporal
Required Datasource IP, port & AS, destination IP, layer-4 protocol
MITRE ATT&CK TechniqueNetwork Denial of Service (T1498)
MITRE ATT&CK Sub-TechniqueReflection Amplification (T1498.002)
MITRE ATT&CK TacticImpact (TA0040)

NTP Amplification Attack#

This DDoS attack is a reflection-based volumetric distributed denial-of-service (DDoS) attack in which an attacker leverages the functionality of open NTP services in order to overwhelm a target server or network with an amplified amount of traffic, rendering the server and its surrounding infrastructure inaccessible.

AttributeDescription
Job for CODEXelastiflow_codex_netsec_ntp_amplification
Job for ECSelastiflow_ecs_netsec_ntp_amplification
Analysis Typetemporal
Required Datasource IP, port & AS, destination IP, layer-4 protocol
MITRE ATT&CK TechniqueNetwork Denial of Service (T1498)
MITRE ATT&CK Sub-TechniqueReflection Amplification (T1498.002)
MITRE ATT&CK TacticImpact (TA0040)

QOTD Amplification Attack#

This DDoS attack is a reflection-based volumetric distributed denial-of-service (DDoS) attack in which an attacker leverages the functionality of open Quote of the Day (QOTD) services in order to overwhelm a target server or network with an amplified amount of traffic, rendering the server and its surrounding infrastructure inaccessible.

AttributeDescription
Job for CODEXelastiflow_codex_netsec_qotd_amplification
Job for ECSelastiflow_ecs_netsec_qotd_amplification
Analysis Typetemporal
Required Datasource IP, port & AS, destination IP, layer-4 protocol
MITRE ATT&CK TechniqueNetwork Denial of Service (T1498)
MITRE ATT&CK Sub-TechniqueReflection Amplification (T1498.002)
MITRE ATT&CK TacticImpact (TA0040)

Quake Amplification Attack#

This DDoS attack is a reflection-based volumetric distributed denial-of-service (DDoS) attack in which an attacker leverages the functionality of open Quake services in order to overwhelm a target server or network with an amplified amount of traffic, rendering the server and its surrounding infrastructure inaccessible.

AttributeDescription
Job for CODEXelastiflow_codex_netsec_quake_amplification
Job for ECSelastiflow_ecs_netsec_quake_amplification
Analysis Typetemporal
Required Datasource IP, port & AS, destination IP, layer-4 protocol
MITRE ATT&CK TechniqueNetwork Denial of Service (T1498)
MITRE ATT&CK Sub-TechniqueReflection Amplification (T1498.002)
MITRE ATT&CK TacticImpact (TA0040)

RADIUS Amplification Attack#

This DDoS attack is a reflection-based volumetric distributed denial-of-service (DDoS) attack in which an attacker leverages the functionality of open RADIUS services in order to overwhelm a target server or network with an amplified amount of traffic, rendering the server and its surrounding infrastructure inaccessible.

AttributeDescription
Job for CODEXelastiflow_codex_netsec_radius_amplification
Job for ECSelastiflow_ecs_netsec_radius_amplification
Analysis Typetemporal
Required Datasource IP, port & AS, destination IP, layer-4 protocol
MITRE ATT&CK TechniqueNetwork Denial of Service (T1498)
MITRE ATT&CK Sub-TechniqueReflection Amplification (T1498.002)
MITRE ATT&CK TacticImpact (TA0040)

RIP Amplification Attack#

This DDoS attack is a reflection-based volumetric distributed denial-of-service (DDoS) attack in which an attacker leverages the functionality of open Routing Information Protocol (RIP) enabled routers in order to overwhelm a target server or network with an amplified amount of traffic, rendering the server and its surrounding infrastructure inaccessible.

AttributeDescription
Job for CODEXelastiflow_codex_netsec_rip_amplification
Job for ECSelastiflow_ecs_netsec_rip_amplification
Analysis Typetemporal
Required Datasource IP, port & AS, destination IP, layer-4 protocol
MITRE ATT&CK TechniqueNetwork Denial of Service (T1498)
MITRE ATT&CK Sub-TechniqueReflection Amplification (T1498.002)
MITRE ATT&CK TacticImpact (TA0040)

RPC Amplification Attack#

This DDoS attack is a reflection-based volumetric distributed denial-of-service (DDoS) attack in which an attacker leverages the functionality of open Remote Procedure Call (RPC) services in order to overwhelm a target server or network with an amplified amount of traffic, rendering the server and its surrounding infrastructure inaccessible.

AttributeDescription
Job for CODEXelastiflow_codex_netsec_rpc_amplification
Job for ECSelastiflow_ecs_netsec_rpc_amplification
Analysis Typetemporal
Required Datasource IP, port & AS, destination IP, layer-4 protocol
MITRE ATT&CK TechniqueNetwork Denial of Service (T1498)
MITRE ATT&CK Sub-TechniqueReflection Amplification (T1498.002)
MITRE ATT&CK TacticImpact (TA0040)

Sentinel SPSS Amplification Attack#

This DDoS attack is a reflection-based volumetric distributed denial-of-service (DDoS) attack in which an attacker leverages the functionality of open SPSS (Sentinel RMS) License Manager services in order to overwhelm a target server or network with an amplified amount of traffic, rendering the server and its surrounding infrastructure inaccessible.

AttributeDescription
Job for CODEXelastiflow_codex_netsec_sentinel_spss_amplification
Job for ECSelastiflow_ecs_netsec_sentinel_spss_amplification
Analysis Typetemporal
Required Datasource IP, port & AS, destination IP, layer-4 protocol
MITRE ATT&CK TechniqueNetwork Denial of Service (T1498)
MITRE ATT&CK Sub-TechniqueReflection Amplification (T1498.002)
MITRE ATT&CK TacticImpact (TA0040)

SNMP Amplification Attack#

This DDoS attack is a reflection-based volumetric distributed denial-of-service (DDoS) attack in which an attacker leverages the functionality of open SNMP services in order to overwhelm a target server or network with an amplified amount of traffic, rendering the server and its surrounding infrastructure inaccessible.

AttributeDescription
Job for CODEXelastiflow_codex_netsec_snmp_amplification
Job for ECSelastiflow_ecs_netsec_snmp_amplification
Analysis Typetemporal
Required Datasource IP, port & AS, destination IP, layer-4 protocol
MITRE ATT&CK TechniqueNetwork Denial of Service (T1498)
MITRE ATT&CK Sub-TechniqueReflection Amplification (T1498.002)
MITRE ATT&CK TacticImpact (TA0040)

SSDP Amplification Attack#

This DDoS attack is a reflection-based volumetric distributed denial-of-service (DDoS) attack in which an attacker leverages the functionality of open SSDP services in order to overwhelm a target server or network with an amplified amount of traffic, rendering the server and its surrounding infrastructure inaccessible.

AttributeDescription
Job for CODEXelastiflow_codex_netsec_ssdp_amplification
Job for ECSelastiflow_ecs_netsec_ssdp_amplification
Analysis Typetemporal
Required Datasource IP, port & AS, destination IP, layer-4 protocol
MITRE ATT&CK TechniqueNetwork Denial of Service (T1498)
MITRE ATT&CK Sub-TechniqueReflection Amplification (T1498.002)
MITRE ATT&CK TacticImpact (TA0040)

Steam Amplification Attack#

This DDoS attack is a reflection-based volumetric distributed denial-of-service (DDoS) attack in which an attacker leverages the functionality of open Steam services in order to overwhelm a target server or network with an amplified amount of traffic, rendering the server and its surrounding infrastructure inaccessible.

AttributeDescription
Job for CODEXelastiflow_codex_netsec_steam_amplification
Job for ECSelastiflow_ecs_netsec_steam_amplification
Analysis Typetemporal
Required Datasource IP, port & AS, destination IP, layer-4 protocol
MITRE ATT&CK TechniqueNetwork Denial of Service (T1498)
MITRE ATT&CK Sub-TechniqueReflection Amplification (T1498.002)
MITRE ATT&CK TacticImpact (TA0040)

TFTP Amplification Attack#

This DDoS attack is a reflection-based volumetric distributed denial-of-service (DDoS) attack in which an attacker leverages the functionality of open Trivial File Transfer Protocol (TFTP) services in order to overwhelm a target server or network with an amplified amount of traffic, rendering the server and its surrounding infrastructure inaccessible.

AttributeDescription
Job for CODEXelastiflow_codex_netsec_tftp_amplification
Job for ECSelastiflow_ecs_netsec_tftp_amplification
Analysis Typetemporal
Required Datasource IP, port & AS, destination IP, layer-4 protocol
MITRE ATT&CK TechniqueNetwork Denial of Service (T1498)
MITRE ATT&CK Sub-TechniqueReflection Amplification (T1498.002)
MITRE ATT&CK TacticImpact (TA0040)

WSD Amplification Attack#

This DDoS attack is a reflection-based volumetric distributed denial-of-service (DDoS) attack in which an attacker leverages the functionality of open Web Services for Devices (WSD) services in order to overwhelm a target server or network with an amplified amount of traffic, rendering the server and its surrounding infrastructure inaccessible.

AttributeDescription
Job for CODEXelastiflow_codex_netsec_wsd_amplification
Job for ECSelastiflow_ecs_netsec_wsd_amplification
Analysis Typetemporal
Required Datasource IP, port & AS, destination IP, layer-4 protocol
MITRE ATT&CK TechniqueNetwork Denial of Service (T1498)
MITRE ATT&CK Sub-TechniqueReflection Amplification (T1498.002)
MITRE ATT&CK TacticImpact (TA0040)

Data Exfiltration#

DNS Exfiltration#

COMING SOON!

Flood Attacks#

Generic DDoS Attack (TCP)#

A Distributed Denial of Service (DDoS) attempts to make a service unavailable by directly sending a high-volume of TCP traffic from multiple sources to the targeted TCP listener.

AttributeDescription
Job for CODEXelastiflow_codex_netsec_ddos_generic_tcp
Job for ECSelastiflow_ecs_netsec_ddos_generic_tcp
Analysis Typetemporal
Required Dataclient IP & AS, server IP & port, layer-4 protocol
MITRE ATT&CK TechniqueNetwork Denial of Service (T1498)
MITRE ATT&CK Sub-TechniqueDirect Network Flood (T1498.001)
MITRE ATT&CK TacticImpact (TA0040)

ICMP Flood DDoS Attack#

An ICMP flood is a denial-of-service attack in which the attacker attempts to overwhelm a targeted device with ICMP echo-request packets, causing the target to become inaccessible to normal traffic. When the attack traffic comes from multiple devices, the attack becomes a DDoS or distributed denial-of-service attack.

AttributeDescription
Job for CODEXelastiflow_codex_netsec_icmp_flood_ddos
Job for ECSelastiflow_ecs_netsec_icmp_flood_ddos
Analysis Typetemporal
Required Datasource IP & AS, destination IP, layer-4 protocol
RestrictionsApplies only to Netflow and IPFIX flow records.
MITRE ATT&CK TechniqueNetwork Denial of Service (T1498)
MITRE ATT&CK Sub-TechniqueDirect Network Flood (T1498.001)
MITRE ATT&CK TacticImpact (TA0040)

ICMP Flood Direct Attack#

A ICMP flood is a denial-of-service attack in which the attacker attempts to overwhelm a targeted device with ICMP echo-request packets, causing the target to become inaccessible to normal traffic.

AttributeDescription
Job for CODEXelastiflow_codex_netsec_icmp_flood_direct
Job for ECSelastiflow_ecs_netsec_icmp_flood_direct
Analysis Typepopulation
Required Datasource IP & AS, destination IP, layer-4 protocol
RestrictionsApplies only to Netflow and IPFIX flow records.
MITRE ATT&CK TechniqueNetwork Denial of Service (T1498)
MITRE ATT&CK Sub-TechniqueDirect Network Flood (T1498.001)
MITRE ATT&CK TacticImpact (TA0040)

SYN Flood DDoS Attack#

A SYN flood (half-open attack) DDoS attack is a type of denial-of-service (DDoS) attack in which multiple sources are used with the aim of making a server unavailable to legitimate traffic by consuming all available server resources. By repeatedly sending initial connection request (SYN) packets, the attacker is able to overwhelm all available ports on a targeted server machine, causing the targeted device to respond to legitimate traffic sluggishly or not at all.

AttributeDescription
Job for CODEXelastiflow_codex_netsec_syn_flood_ddos
Job for ECSelastiflow_ecs_netsec_syn_flood_ddos
Analysis Typetemporal
Required Dataclient IP & AS, server IP & port, TCP flags
RestrictionsApplies only to Netflow and IPFIX flow records.
MITRE ATT&CK TechniqueNetwork Denial of Service (T1498)
MITRE ATT&CK Sub-TechniqueDirect Network Flood (T1498.001)
MITRE ATT&CK TacticImpact (TA0040)

SYN Flood Direct Attack#

A SYN flood (half-open attack) direct attact is a type of denial-of-service (DDoS) attack in which a single source aims to make a server unavailable to legitimate traffic by consuming all available server resources. By repeatedly sending initial connection request (SYN) packets, the attacker is able to overwhelm all available ports on a targeted server machine, causing the targeted device to respond to legitimate traffic sluggishly or not at all.

AttributeDescription
Job for CODEXelastiflow_codex_netsec_syn_flood_direct
Job for ECSelastiflow_ecs_netsec_syn_flood_direct
Analysis Typepopulation
Required Dataclient IP & AS, server IP & port, TCP flags
RestrictionsApplies only to Netflow and IPFIX flow records.
MITRE ATT&CK TechniqueNetwork Denial of Service (T1498)
MITRE ATT&CK Sub-TechniqueDirect Network Flood (T1498.001)
MITRE ATT&CK TacticImpact (TA0040)

Reconnaissance#

Port Scan (fast)#

A client accessed an anomalously high number of server ports, over a short period of time, compared to other clients. This can indicate port scanning activity, a reconnaissance method used by malicious actors to find vulnerable systems.

AttributeDescription
Job for CODEXelastiflow_codex_netsec_port_scan_fast
Job for ECSelastiflow_ecs_netsec_port_scan_fast
Analysis Typepopulation
Required Dataclient IP & AS, server IP & port
MITRE ATT&CK TechniqueNetwork Service Scanning (T1046)
MITRE ATT&CK TacticDiscovery (TA0007)

Port Scan (slow)#

A client accessed an anomalously high number of server ports over a long period of time, compared to other clients. This can indicate port scanning activity, a reconnaissance method used by malicious actors to find vulnerable systems.

AttributeDescription
Job for CODEXelastiflow_codex_netsec_port_scan_slow
Job for ECSelastiflow_ecs_netsec_port_scan_slow
Analysis Typepopulation
Required Dataclient IP & AS, server IP & port
MITRE ATT&CK TechniqueNetwork Service Scanning (T1046)
MITRE ATT&CK TacticDiscovery (TA0007)