The largest population of the world, China, woke up last Sunday (25th August, 2013) to the most colossal distributed denial of service (DDoS) attacks to have rattled the Chinese digital age. With over 8 million websites affected[1] on .cn domains, the government has condemned this incident and dubbed it the biggest ever cyber breach in Chinese history. Government-run China Internet Network Information Center said the attack started at 2 a.m. on Sunday morning and jolter Internet services until around Monday morning. There was a 32% drop in traffic on the .cn domains.as observed by CloudFlare, a website security company.

Firewall Breach.png

The exact source or motive for the attack has not yet been traced, but the damage has been done. This incident has shown the world that DDoS attacks of such high magnitude can be carried out successfully by hackers, and there’s nothing the victim (in this case the government) can do about it.

 

This takes us back to the basics of IT security, and makes us look for the answers to these critical questions:

  • When did the attack take place and how long did it last?
  • How did the attack take place? Which device or IT system was compromised?
  • Is there a way to protect the network from such attacks? If so, how quickly can we react to contain or minimize the repercussions?

 

Follow the Log Trail

There are tens of thousands of logs generated by all your network devices, computers and security equipment. Start by looking at the system and device logs and try to identify what went wrong and when. It can be a difficult task do to given the number of devices, volume of logs generated by them, and the false positives. But you can always employ an event log correlation mechanism to sift through the logs and track down unusual behavior patterns and suspicious network activity. Once you have the means to get alerted in real time, you’ll be able to take preventive or corrective action immediately.

 

Log data can be used for:

  • Real-time incident monitoring & threat detection
  • Performing event forensic analysis and root cause isolation
  • Compliance reporting and security audits

 

SolarWinds Log & Event Manager (LEM) collects logs from devices across your IT landscape and correlates them in-memory to provide real-time notifications and alerts should there be breach or policy violation. SolarWinds LEM has built-in Active Responses that automate actions to respond to breaches and attacks.