This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Good Day every one Please i have problem with understand how one can pinpoint an attack(traffic volume, network, port scans or distributed attacks) main looking at the wireshark TCP or UDP conversation statistics. Please i am a novice in this area. Please i need answer on the significance of an attack on TCP or UDP conversatios features and how what those feature stands for such as Packets, Bytes, port, ... etc main looking at the there statistical outputs?

asked 04 Nov '16, 12:48

moronto's gravatar image

moronto
11448
accept rate: 0%

edited 04 Nov '16, 12:49


Do you need this answer to investigate an ongoing attack or is this a question for some university assignment?

In case of an ongoing attack I suggest that you hire a consultant or (depending on the scale) even bring in a whole incident respone team.

Malicious traffic can manifest itself in a number of ways:

  • Distributed Denial of Service Attacks (DDoS) can come with any type of packet.
  • Most efficient are unsolicited DNS and NTP responses. This would be a "reflection attack"
  • Other attacks use ICMP, HTTP or HTTPS traffic
  • Poorly written web applications can be overwhelmed with a surprisingly small number of HTTP or HTTPS requests: If a certain transaction, say a complex database query, keeps the server busy for several hundred milliseconds or longer
  • Analysis: Often DDoS attacks target one destination IP address. Look out for top receivers in the conversation statistics.

  • A port scan uses literally every TCP and UDP port.

  • A full port scan sends 64 k Packets TCP and UDP
  • Variations limit themselves to about 1'000 common services.
  • Another malicious operation is "OS fingerprinting". It looks similar to a port scans, but uses still less packets to identify the operating system.
  • Analysis: Find the system that is accessing a ton of different TCP and UDP ports

  • A good hacker who is executing a well planned attack would blend in with the routine traffic.

  • You will see "Comand and control traffic" (C2 for short) when a compromised computer receives a command or uploads stolen data.
  • Another part is the internal attack traffic, which often uses completely different protocols.
  • Both parts can be easy spot (say, an internal port scan) or very well camouflaged, if the attacker is blending in with HTTPS traffic from thousands of users.
  • Analysis: This requires some experience in network analysis. An Intrusion Detection System (IDS) is highly recommended. You use SNORT or SURICATA to parse the trace file and look for malicious activity.
  • A good start is Christian Landströms talk on APT traffic from the last Sharkfest EU conference.

If you have a suspicious trace file you can probably upload it for review by someone in the community.

Good hunting.

permanent link

answered 05 Nov '16, 07:01

packethunter's gravatar image

packethunter
2.1k71548
accept rate: 8%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×1,620
×248
×61
×2

question asked: 04 Nov '16, 12:48

question was seen: 4,555 times

last updated: 05 Nov '16, 07:01

p​o​w​e​r​e​d by O​S​Q​A