Training – Investigating DDoS

ddosInvestigating DDoS: Capture, Storage and Analysis (Splunk and HP ArcSight)



Outline: This course covers each of the main types of DDoS attack using a range of logs, including from Web servers and networked devices. It will use a range of tools to investigate DDoS for the capture, storage and analysis of network logs, including with Wireshark, Snort, Splunk and HP ArcSight, and uses a full virtualisation environment for the investigation of DDoS, including uniquely generated Web traces.

The course is delivered in collaboration with HP and uses a real-life virtualised infrastructure.

Course coverage

The course will run in a completely virtualised environment in order to investigate a range of DDoS methods, including examining logs which contain evidence which would be useful in determine the source and target of a DDoS attack, along with possible mitigation techniques:

  • Day 1. Investigation of network protocols and Incident Response. This will involve examining common tools used for DDoS and for their traces within login files and network traces, along with the storage and location of log information.
  • Day 2. SIEM Capture and Analysis. This will involve the capture of data from devices and the examination of log files, and network traces using common SIEM tools such as Splunk and HP ArcSight.
  • Day 3. Further SIEM Analysis and Red v Blue. This will go deeper into SIEM analysis with cross-correlation and scripting, along with a real-life Red v Blue team work using typical tools and logging methods.

This is the introductory course, and can be followed-up with a deeper 2-day Advanced DDoS course (date to be arranged). Attendees who successfully complete the course will be awarded a credit rated certificate from The Cyber Academy.


If you are interested in this course, register your interest here:

Your Name (required)
Your Email (required)
Your Organisation
Message (if any)