Network traffic analysis for IR: Analyzing DDoS attacks

If you’re under attack you are probably looking at ways to make it stop like using Cloudflare, Akamai or similar. Your incedent response teams may also have questions like “Where’s it coming from?” and even “Why us?”. The linked article discusses some of the analysis techniques…:

[…] Today’s Security Operation Centers (SOCs) are frequently thrown into chaos due to the fact that cybersecurity threats are accelerating by leaps and bounds, and with great sophistication. DDoS attacks are a growing menace for incident response (IR) teams working in the SOCs. These attacks are very dangerous because they can disrupt critical services to users or interfere with business continuity. IR teams perform network traffic analysis to combat DDoS attacks.

Several techniques used for this purpose include Statistical Approach for Network Anomaly Detection, Gaussian Mixture Model (GMM), and Multi-Level Tree for Online Packet Statistics (MULTOPS).

Original article here