Network Monitoring with Sysmon
Recently a friend had an issue with DDoS attacks on his gaming server. The first step to handling problems was collecting data because what gets measured gets managed.
I used Sysmon as an ingress filter by writing a config file to log TCP and UDP connections on some selected ports.
After a disruptive attack that lasted several hours, we checked the logs and found out the origin of the attack and its type. It was a UDP flood attack from multiple sources.
We made many assumptions for possible solutions and a testing plan to handle this situation. We came up with different solutions a test plans, but that is a story for another day.
There are better tools and methodologies such as Tcpdump and Wireshark. However, Sysmon is a great tool to tailor your logs to achieve different tasks.
