This is our old Q&A Site. Please post any new questions and answers at

Hi i have a packet capture of a attack on our network. It was reported that users felt the network was slow for many applications and the internet. Upon starting the capture we notice the network was back to normal. I notice many ACK packet which might be normal attack but I read somewhere many ACK packet can also be DOS attack. Without the packet capture from earlier, how do i tell the difference between a normal traffic data flow and after attack from DOS ?

alt text

asked 08 Dec '16, 04:09

doran_lum's gravatar image

accept rate: 0%

I wouldn't call it as an attack. But of course you can. What you see is bandwidth consuming traffic to the internet on port 9001 (TOR). The difference of normal and not normal traffic can be only find by baseline and then defining rules out of that. And in the end you can close a lot of ports which you don't need.

permanent link

answered 08 Dec '16, 04:53

Christian_R's gravatar image

accept rate: 16%

edited 08 Dec '16, 23:21

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 08 Dec '16, 04:09

question was seen: 1,472 times

last updated: 08 Dec '16, 23:21

p​o​w​e​r​e​d by O​S​Q​A