In the first part of this post I explained the scenario and the initial approach for data gathering, in this second part I’m going to discuss the approach to collect data while the incident is happening.
Understanding Data Gathering Process
To better understand the information gathering flow that we are about to configure, review the diagram below:
The expected flow in this scenario is:
Although this is the basic flow for this scenario, we also have an option to follow a different approach, for example: leave netmon running until the network traffic from the attacker’s IP is received and once event viewer shows the event you can trigger a different action. For this example we will use the following flow:
Preparing the Environment
In order to use Netwiz you should have Network Monitor installed first in your system, once you finish installing Netmon, download NetWiz from Codeplex and follow the steps below on your Edge device:
Second part is to configure Event Viewer to trigger an action when this event happens, in order to do that follow the guidelines from this post. The BAT (or script) that will be used during this process must have the command that will initiate a connection on port 80 of the internal web server (telnet webserver_IP 80). This is an important step in order to comply with the parameters that were configured in NetWiz. This BAT (or script) can also contain a lot more commands (including other tools that can gather more data about a target system); it all depends on what you want to collect in additional to netmon traces.
It is also important to emphasize that sometimes this type of attack comes from random IP addresses, if this is the case, you will not need to create filters to only collect data coming from one specific address.
Once you have the traffic pattern and also identified the IP address that is starting the attack against your resource you can start by contacting your service provider to report the abuse of resources coming from this IP. Check if it is possible for your ISP to track this IP and take actions against this type of attack.