Guys, I have packet, but not sure is it syn dos attack? If it's not, please can you explain why? I see only syn packets and thought syn flood should look like that. asked 21 Nov '14, 17:41  Madina Mika ... edited 22 Nov '14, 02:47  grahamb ♦ |
One Answer:
Maybe it is, but I don't think so - the frequency is too slow. SYN dos attacks require hundreds and thousands of SYN packets per second, and you have huge jumps in the time column. So I doubt this is a SYN flood attack, or it is a pretty sloppy one. By the way, for determining that type of attack it is not good enough to post an image with some SYN packets, especially when the time column format is not clear. Does it display delta times or relative times? If those are delta times, you have pauses of 17 seconds and more between SYNs, which is way too much for any kind of attack. If those are relative times, your column sorting is bad, because they should increase, not go up and down. Also, to determine a SYN flood attack you'd need to check for SYN/ACKs and if they're answered with a third handshake packet. Plus, your "flood" is comming from a private IP, which is highly unusal for an attack, because it means it is coming from your local network, and you can easily identify the source . answered 22 Nov '14, 03:52  Jasper ♦♦ |
