Hello, everyone, welcome back to the course. Did Farmer attacked through logs coming over here and in the last feed we talked about cross site scripting request forgery.
In this view, you see some other sources off logs.
Let's start with the learning objectives off this video. The video objectives are
learn about other sauce off logs that can help in identifying the attacks
and some of the network attacks that can, in fact, the Web application.
Here we have some examples of other source of flogs
network bandwidth usage,
intrusion prevention sees them
and Web application files.
I don't remember this picture
here. We have the polish off it restricted that can support a Web application.
Remember that all these components can send information.
Deform off logs are Griff's
and could help. Did find Attack.
Let's talk about two attacks
seeing floor and that you should be followed.
The first is a network attack. In the second is a Web application attack.
The both type of fruits tries the same thing.
Consume all the network or the web. Seven. Resource is if this happened, can cause a day off, Sir Rasi in the Web application.
The seafood can happen because of through a handshake.
The dope on it received the scene,
and you try to complete the true handshake. But it will never happen.
So the connection is not establish
all these connections. Tries will be on the server off network equipment memory, more requests, more memory consumed.
So the components catch floated by the connection price
for the gypsy food. The tour. A handshake is completed,
but the Web seven We received a lot of requests.
The penny on the sides off the servers
and the number off the requests.
The replication could be impact.
That's why it's important to stay in this type of attacks.
Legend allies. Now some logs
check his log can identify in key components.
Is it similar to the Web application logs
Here we have example. Off a fire or log.
This is a fire off our lead
fire. Oh, is our components that handles network connections,
so the log will be a little different from the Web. Seven.
Let's analyze together this log first. You have a date in time, followed by a night. P address. In this case is the I. P address off the fire. Oh,
after you have some numbers and awards recipe, remember that we have your GP and recipe connections in this case is a recipe connection.
You have another number and when I p address this I p address is from the source computer. In our case, that Tiger
and the second i p address is the website address.
The number 80 is http Port
It could be for for three for https. And you have? Yes,
This s letter is dated. Fire off the scene Flag from the recipe
If you check the other lines. This feuds that we talked about will be the same depending on the fire. Oh, in Web server capacity,
they can handle a lot of connections
sometimes 1000 off connections on the same second.
So the banning of the environment
the factory needs generates
a lot of connections,
but they behave will be the same
uncommon number of connections from the same I p
on Lee sent this thief leg.
Can you think in one off the attacks that we saw that a scene which this one
that the behavior is similar?
One off the attacks is a brute force attack
The seafood is like a brute force attack,
but the rubbish active is make the application unavailable.
And one more thing. Do you remember our questions? Who walked in When?
Here. The fuse that can help answering these questions.
in the What is the connection?
Just be in Port 80 with the same flag.
Now talking about the Web server,
which logs you'll be shown on the Web server
in this case we want have in logs from the Web server.
Remember that Web? Several log. We start after the tissue Pito in shake
and the same fluid. We're not establish the connection.
So no, http requests.
Do you remember that the TCP connection is a job off the personal system
and normally the operational season
have a common to check the connections.
The school motto is that's that Italy show the stars off the connections. If you check the result off next that common during and seafood attack, will you see a lot off scene requests? Italy will say that it received the scene
like in this picture,
you can see in this picture that we have the website might be and the teaching people to 80
and I know they be with a lot of different parts.
This means that the oppression of season is waiting to the other side. Complete the connection.
Now, you see, http, flowed in compared with the seafood attack
again, we have to fire logs.
We have the same components
dating time, fire. I'd be sore sight be sever. I'd be.
We also have the letter s. But in this case, we have a Jefferies.
This means that the recipient to in the shake
So since we have the connection, let's check the web. Several logs.
Now, check this Web server logs.
Tried to file a malicious behavior.
If you want to pause the video for a while, is okay.
Let's analyze the web server logs together.
We have to observe I'd be
Http. My thought they requested file
http. Version started scold size and they use their agent.
So the website along is okay.
The point here is a number of requests and many errors.
If you check the requested fires, it doesn't make sense
a lot off number that result in a never the TTP started schooled 400 means bad request.
Why would someone saying a lot of errors?
Usually users get upset with the errors.
Here we have the same source, a lot off errors and as well, period of time
in some random requested fires.
In this case we have. The TTP flowed
is again, depending on the size off the Web. Seven. That tracker. We need a lot of requests to get the Web server in the Web application down
in this example. We have the Aero before hundreds,
but it'd be flowed. Can result in another starts cold like 500 or 200. It we only depends on the requests.
Basically, the most important is the number off the requests. If you notice that there is a high number of requests, Morton Normal. Maybe you have the food.
What do you think that we happen if we use the nets that comment during they should be flute.
We should have a lot off lines, but now we have the world's established.
That means that the recipe connection Waas established,
that's why we have the Web server logs
on previous is like we said that they threw the tax tragic, consume all the resource off the machine.
Here you can see DeSipio users from the fire. Oh,
you can see on both grafts that disappear uses percent, raise it a lot
In the first graph, we have two moments off high disappear uses.
In the second graph. We have the same two periods off high CPU, but we can see are not increase in disappear usage
during the period off the high CPU usage. Since the Web seven is after the fire of the Web application was down.
This means that the denial of service attack, what's the *** food?
We can see the same behavior on the network bandwidth graph.
It goes from killer beats two megabits. Let's see some directions to identify. They threw that ax.
Seven requests many requests from same source in I spun period of time.
A first increase off CPU or bend with users.
Many seem requests without establishing that you re in the shake.
Uncle Mum, I'll run the requests on the Web server logs
are your replication is low. We stop it to work.
Hey, don't forget to check the user agent,
Since you need to say a lot of corrected http packets,
It's very to use Otto.
Also remember that the attacker can change the user agents.
There's a lesson called Genius on the Nets video.