200K Contest Question # 5:
A server in your network is experiencing a high volume of traffic from an unknown source. Describe the steps you would take to investigate and mitigate this potential security threat.
1. Identify the suspicious source IP / server / port using network monitoring tools.
2. Remove that affected server from the LAN.
3. Check logs for information like network protocol , packet surge, time of surge using tools such as sar.
4. Identify the attack type - DoS / DDOS or Brute force.
5. Use firewall , SELinux and SSH configuration to block the incoming traffic.
6. Check for vulnerabilities like privilege escalation, protocol , port , firewall, ssh/login access and update / patch the system with latest security updates.
7. Document the incident and monitor the system post normalisation of services.
Run tcpdump and get that unknown source.
First we initiate the investigation from CDN level, analysing the traffic and collecting the IP,method,agent..etc and payload.
Based on the payload we can implement blocking methods on CDN and server levels.
And also monitoring for some time will help to avoid internal functional errors.
Below are the step-by-step approach to investigate and mitigate high traffic on a RHEL server:
Identify the Source
Isolate the Server (Mitigate Immediately)
Analyze Server Logs
Identify Affected Services
Secure the Server
Investigate for Malware
Analyze Network Traffic
Strengthen Authentication
Consider Additional Security Measures
By following these steps, we can effectively investigate and mitigate the high traffic threat on the RHEL server.
The source IP must be identified. This can be done with a sniffer, such as tcpdump, wireshark (tshark), etc.
Then filter the identified IP address.
It is also important to have updated systems.
It is possible the source is a valid source, so we could opt to look for some form of rate-limiting before blocking the source alltogether.
When dealing with a server experiencing high traffic volumes from an unknown source, it is essential to approach the situation methodically to effectively identify, investigate, and mitigate the potential security threat. Here's how to handle such a scenario, particularly in a Red Hat Linux server environment:
Taking these steps will help ensure that not only is the immediate threat managed, but future vulnerabilities can be prevented, maintaining the integrity and security of your Red Hat Linux server environment.
Steps to follow:
1. Use network monitoring tools to analyze the incoming traffic. Look for unidentified IPs, sources to find suspected culprit.
2. Review server logs to identify the source IP addresses, requested resources, of the suspicious traffic.
3. Use tools like WHOIS to gather more information about the origins of these addresses.
4. Use Firewall to block unwanted to traffic on the server.
5. Close ports which are not required by any service.
When such incident occurs, we need to investigate and take appropriate actions to mitigate the risk. Here follows the basic troubleshooting steps:
Mitigation Steps:
Implement Security Best Practices:
Based on the forensics finding from wireshark or tcpdump, we can easily isolate the attacker is from inside or external, SYN Flood Attack or Any sort of DOS attacks.
Red Hat
Learning Community
A collaborative learning environment, enabling open source skill development.