Detecting Web DDoS Writeup

Date: 06-10-2025 | Platform: TryHackMe | Difficulty: Easy

Overview

This room explores denial-of-service attacks, detection techniques, and strategies for protection against DDoS attacks targeting web services.

Task 1: Introduction to DDoS

1.1 What class of attack relies on disrupting the availability of a web service?

Answer: Denial-of-Service

1.2 What do we call the network of compromised machines that attackers use to launch DDoS attacks?

Answer: Botnet

Task 2: DDoS Attack Motivations

2.1 Which attacker motive aims to make customers lose confidence in a company?

Answer: Reputational Damage

2.2 Which motive most likely drove the 2023 DDoS attack against Microsoft?

Answer: Hacktivism

Task 3: Detecting DDoS Attacks

3.1 What is the attacker's IP address?

Answer: 203.12.23.195

3.2 Which page is repeatedly targeted by the attacker's requests?

Answer: /login

3.3 What is the HTTP status code that indicates the server is unavailable due to overload?

Answer: 503

Task 4: Analyzing Logs with Splunk

4.1 What was the most frequently requested URI?

Answer: /search

4.2 Which clientip made the first request to the target URI?

Answer: 203.0.113.7

4.3 How many IP addresses were part of the botnet that attacked your website?

Answer: 60

4.4 Which useragent was most commonly used by the attacking traffic?

Answer: Java/1.8.0_181

4.5 Use the timechart command to visualize the requests. What is the peak number of requests made per second during the attack?

Answer: 207

4.6 Which legitimate (non-attacking) clientip received the first 503 response status post-attack?

Answer: 10.10.0.27

Task 5: DDoS Mitigation Strategies

5.1 What type of security challenge blocks bots by asking users to solve a simple puzzle?

Answer: CAPTCHA

5.2 Which CDN feature spreads traffic across multiple servers to prevent overload?

Answer: Load-balancing

Lessons Learned