Hi all,
I used wireshark to analysis "attack pcap file" for "TCP SYN Flood attack", can we rely on features extracted by statistical conversation for "TCP" such as (duration, total packet, total bytes, bytes and packet in each direction and bit rate ...etc) to detect TCP SYN attack....
Hi there,
My answer is yes.
The TCP SYN flood attack is basically sending a lot of SYN requests (there might be some variations, but basically that is what it is). The attack plays around with TCP ports and IP addresses. All that information can be collected by Wireshark. If you can keep track of the connections and the number of connections that are established in a time interval, you can detect variations on that number of connections: If your network used to receive 55 connections per minute and all of a sudden that number increases to 120, you might want to analyse the situation since something is likely to be wrong and an attacker might be taking place. Also, the amount of connections that are only initiated and there is no further communication, the amount of connections that are rejected, the amount of connections requested to a port... etc...
Also, you might want to have a look at a publication I have about IDS for non-content based attacks. It is in my home-page :) you can have a look and let me know if you have any questions! thanks!
- Badges
- Science topic
- Similar topics
- Mathematics
- Statistics