adam's notes

Unusual Traffic Spikes and Bandwidth Consumption

traffic spike is a sudden and dramatic increase in the traffic volume to a device in comparison with a baseline.

  • easier to identify comparing to a normal baseline
  • may be a sign of a DoS attack
    • but could also indicate unusual traffic flows of data exfiltration

Bandwidth consumption is unusually high and possibly mysterious traffic volumes over a sustained period of time.

  • may represent regular activity:
    • network-based backups
    • data replication
    • website traffic in response to a marketing campaign
    • etc.

Problematic Bandwidth Consumption Examples

  • Worm activity
    • typically manifests as high volumes of traffic saturating switches and router interfaces
  • Reflection or amplification attack
    • in reflection attack, attacker spoofs the victim’s IP address and used the spoofed IP to communicate with multiple servers
    • servers respond to the victim, overwhelming it with traffic
  • DNS reflection attack
    • allows a small DNS request with a spoofed source IP to generate a very large response
    • effective at generating bandwidth-busting traffic volumes while only requiring small requests from attackers or bots
  • NTP monlist command
    • can be abused to generate large traffic volumes
    • small request that generates a large response

Graph View

Backlinks