Suricata baseline deviation from expected IP requests

suricata

Classification:

anomaly

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detect an unusually high number of unique IP addresses connecting to a server, which could indicate a Distributed Denial-of-Service (DDoS) attack, a scanning attempt, or other forms of malicious activities.

Strategy

Monitor Suricata logs where a server is receiving connections from an unusually high number of unique IP addresses within a short period. This detection rule aims to identify potential threats early, allowing for timely investigation and mitigation to protect server resources and maintain service availability.

Triage and response

  1. Assess the reputation of the source IP addresses for known threats.
  2. Check if there are common characteristics among the source IPs (e.g., geographical clustering, similar ISP).
  3. If malicious, reduce the impact by rate limiting, blocking, or filtering suspicious IPs.
  4. Inform IT security teams and management about the incident and actions taken.