🔬 Tracking a DDoS Attack
Follow the evidence. Reconstruct the attack. Identify what happened.
📂 Case Opened
Date: July 18
Time: 14:22 UTC
A major e-commerce website suddenly becomes unavailable.
Thousands of customers report errors.
Revenue is dropping every minute.
Your job: Determine what happened.
🧩 Evidence Board
📊 Traffic Reports
🌐 Network Flows
🖥 Server Metrics
⏰ Event Timeline
🔍 Clue #1
At 14:21 UTC traffic increased by 1500%.
Most requests originated from thousands of different IP addresses.
The pattern does not resemble normal customer behavior.
🔍 Clue #2
Web server CPU utilization reached 98%.
Database utilization remained normal.
This suggests the attack targeted the web layer rather than backend systems.
🕵️ Investigation Questions
- What changed first?
- Which systems failed first?
- Was traffic legitimate?
- Which resources were exhausted?
- How quickly was the attack detected?
⏳ Reconstructed Timeline
14:21
Traffic spike begins.
14:22
Monitoring alerts triggered.
14:24
Users report service issues.
14:30
DDoS confirmed.
14:42
Mitigation activated.
15:05
Services stabilized.
📓 Analyst Notes
The goal of network forensics is not simply identifying an attack.
It is understanding:
- How the attack occurred
- What systems were affected
- What evidence exists
- How future incidents can be prevented
🛠 Common Investigation Tools
📄 Log Analysis
📈 SIEM Platforms
🌐 Packet Inspection
🔍 Threat Intelligence
🎯 Investigator Challenge
Imagine you receive:
- Firewall logs
- Traffic reports
- Server metrics
Which source would you analyze first and why?
There is no perfect answer.
The key is learning how evidence fits together.
🤖 Forensics Exercise
🏰 Building a DDoS-Resilient Infrastructure
Learn how modern companies design systems that stay online during massive attacks.
Recent Comments