One of the original reasons for Canary being created is because of the fact that in many cases, details about a breach are shared before the general public or affected organisations get wind of it. While Canary does not prevent breaches, it potentially at least could provide you with an enough head’s up in order to mitigate the already dealt damage.
In this case, it’s sort of the reverse. With a distributed denial of service attack, we can learn a bit more about what is attacking you.
A case in point today was the following was shared on an IRC channel earlier today:
23:03:53 < [someone]> [retail chain] getting ddos
23:03:55 < [someone]> [url containing details]
23:04:00 < [someone]> where do I report this?
02:28:30 < [person]> [someone]: isc.sans.org?
The individual who shared it never made light of how they acquired the information, but it can be safely assumed that it was not something that they themselves found on their own. I am sure the target might be aware however.
But it seems that the person does have access to packet capture data from the machine. How they acquired it is ambiguous, but nonetheless it does provide some details that we can use.
The pixelated items in the packet capture in the image was of the IP address that was supposedly being targeted. The source in the first half and the destination in the second are not of the individual’s machine either. Both here are good candidates for finding out a bit more about what is known within Canary about these two IPs.
When we look for the IP address found within the packet data itself, we do not get any results. Maybe we can check its IP block? Nope. In fact, it does not appear that the target organisation has any leaked data–which is good news. If you want to try this for yourself, you can use the following search terms as examples (without parenthesis):
Note: searching for bigger ranges will likely lead to longer search times! It’s suggested that you consider using the API the larger the IP block is.
But what about the attacking machine? What can we find out about it? Well, luck would have it that we did find something within Canary’s database.
Bingo. Just one search result but here we are. Some scrolling around eventually leads us to the IP address involved in the attack.
This can be useful for investigations to determine when the attacking machine was possibly compromised. What the content of these files is exactly can be for another time, but we can at least determine that this machine has been compromised for at least a week here.
More about what you can do with Canary will be written in the future!