Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
dos or ddos attack tracefile
- Thread starter AZeemeri
- Start date
AlfSutherland
Technical User
Andre,
I've got a port scan attack, if you want it?
Alf
I've got a port scan attack, if you want it?
Alf
- Thread starter
- #3
Thanks but I already have a portscan trace from Laura Chapel's site.
I'm trying to figure out how to recognize a typical DOS attack by looking at a trace. It just should be a lot of SYN/ ACK stuuf there.
Analizing traces is just not my thing, but I'm trying to learn recognizing patterns etc.
I'm trying to figure out how to recognize a typical DOS attack by looking at a trace. It just should be a lot of SYN/ ACK stuuf there.
Analizing traces is just not my thing, but I'm trying to learn recognizing patterns etc.
you can emulate a DoS attack by using NMAP against a small wannabe firewall like a Linksys or even a older webramp. EtherPeek works well for this as it breaks out the stats of SYN's vs. FINs. With a SYN scan (attack) you will see very high numbers of SYNs and very few FINs. I did this for a screen shot and NMAP brought a webramp to it's knees with over 400 connections open at once. I have a screen shot of trace and the actual trace file.
MikeS
Find me at
"Take advantage of the enemy's unreadiness, make your way by unexpected routes, and attack unguarded spots."
Sun Tzu
MikeS
Find me at
"Take advantage of the enemy's unreadiness, make your way by unexpected routes, and attack unguarded spots."
Sun Tzu
- Thread starter
- #5
- Thread starter
- #7
There are some tips to fins a DoS.
If you find a lot of ICMP paquets, and if you llok the decode and find that the packet is fragmented, there is a Ping of dead, some attacks ( smurf, poD ) use ICMP packets, so you will find an excesive amount of packets of this tipe directed to a one or more machines.
When you have a Targa attack, you will find a lot of connections to a single station and in the decode you will find packets of diferent protocols IGMP also, and ICPM packets from one single station to all the stations, since it will report ICPM por Unreacheable. If you look in MAC traffic you could find the origin, since targa send modified packets it uses aleatory IP addresses but the MAC should be in some cases be the same.
Let me create some attacks and I will send you a trace with all this.
My best regards.
If you find a lot of ICMP paquets, and if you llok the decode and find that the packet is fragmented, there is a Ping of dead, some attacks ( smurf, poD ) use ICMP packets, so you will find an excesive amount of packets of this tipe directed to a one or more machines.
When you have a Targa attack, you will find a lot of connections to a single station and in the decode you will find packets of diferent protocols IGMP also, and ICPM packets from one single station to all the stations, since it will report ICPM por Unreacheable. If you look in MAC traffic you could find the origin, since targa send modified packets it uses aleatory IP addresses but the MAC should be in some cases be the same.
Let me create some attacks and I will send you a trace with all this.
My best regards.
- Status
Similar threads
- Locked
- Question