https://tryhackme.com/room/detectingwebddos
Created by: tryhackme, ryla, tryhackme
“For questions: “What class of attack relies on disrupting the availability of a web service?” and “What do we call the network of compromised machines that attackers use to launch DDoS attacks?”
Task 3, Attack Motives!
For questions: “Which attacker motive aims to make customers lose confidence in a company?” and “Which motive most likely drove the 2023 DDoS attack against Microsoft?”
So far so good. On to Task 4, Log Analysis!
“What is the attacker’s IP address?
“Which page is repeatedly targeted by the attacker’s requests?”
“Which page is repeatedly targeted by the attacker’s requests?”
Task 5, Leveraging SIEMs!
“What was the most frequently requested uri?”
“Which clientip made the most requests to the target uri?”
From the above step, click on /search, and you will be brought to a new filtered page. On the left side, click “client ip”.
“How many IP addresses were part of the botnet that attacked your website?”
Stay on the past filter to obtain this question.
“Which useragent was most commonly used by the attacking traffic?”
“Use the timechart command to visualize the requests.
What is the peak number of requests made per second during the attack?”
I overlooked my progress and did not save this snippet. The command I used was ‘index=”main” | timechart span=1s count by request’ and then filtered with the visualization.
“Which legitimate (non-attacking) clientip received the first 503 response status post-attack?””
This was hard to obtain. I ended up going over to DuckDuckGo AI and had to do a few prompts to whittle down the exact filter I needed. With the “clientip=”202“, I obtained that by noting that as the attacker IP by manually looking at the logs.
In Task 6, Defense, THM goes over Application, Network, and Large-Scale Mitigation. They use captchas, Content Delivery Networks, and Firewalls as examples.
For questions “What type of security challenge blocks bots by asking users to solve a simple puzzle?” and “Which CDN feature spreads traffic across multiple servers to prevent overload?”:
