Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - CATEGORY OFFENSE INVESTIGATION GUIDE REV 1 Manual page 36

30 D S
ENIAL OF ERVICE
Step 6
Step 7
Step 8
(D S) O
O FFENSES
View the Description field and determine the activity associated with this offense.
This may indicate multiple types of activity. If the offense is a DDoS attack, the
following terms appear:
• Distributed DoS Attack (Low, Medium, or High Number of Hosts)
Potential Unresponsive Service or Distributed DoS
•
In a DDoS attack, the IP address listed in the Attacker Summary box is the address
of the target since DDoS offenses are correlated by the target address. Also, in the
Top 5 Local Targets box, the IP addresses listed are the sources of the DDoS
attack.
View the Attacker Summary box to understand the attacker:
Location - Allows you to determine if the attacker is local or remote:
•
- Local - This field specifies the network (group) in which it is located. If the
attack is local, contact the user associated with the IP address to determine
the source of the attack. If this is deemed normal behavior, you can tune
STRM to no longer create offenses for this activity. See
DoS Offense?. If this is not normal behavior, go to
- Remote - This field specifies the geographic location of the attacker, for
example, Asia. If the attacker is remote, go to
User - If the attacker is local or a VPN user and STRM is receiving user identity
•
logs, this field indicates user identity information. This allows you identify the
user who is the source of the traffic. To obtain further information about the
user, right-click on the IP address in the Description field to access additional
menu options. From the menu, select use the Select Information > Asset
Profile. The Asset Profile window allows you to determine additional
information regarding the identify of the source user.
If the attack is remote:
Investigate the traffic from the remote source IP address to make sure that your
a
firewalls are probably configured to block any threatening traffic.
Determine if STRM is correlating firewall events. If you are correlating firewall
b
events, the Offense Manager includes firewall or ACL deny events that indicate
the attack is being blocked.
Determine if the target is an Internet facing server, which means that the traffic
c
may be permitted through the firewall. For assistance, contact your network
administrator.
If the target is an Internet facing server and you are investigating a DoS attack,
right-click on the IP address located in the Description field of the Attacker
Summary box to determine the ownership of the IP address sending the DoS
attack. From the right-click menu, select Information > WHOIS Lookup or
DNS Lookup. For more information on using the right-click menu, see the
STRM Users Guide.
If the target is an Internet facing server and you are investigating a DDoS
attack, right-click on an IP address located in the Destination field of the Top 5
Local Targets box to determine the ownership of the IP address sending the
Category Offense Investigation Guide
How do I Tune a
Step 9.
Step 8.