If I have a network trace, how can I differentiate a DDOS attack from a port scan?

Chuckc
3048 ●6 ●620 ●20

Work down through the Wireshark Statistics menu.

Statistics -> Capture File Properties - get a feel for what's in capture.
Statistics -> Protocol Hierarchy - what's the traffic mix?
Statistics -> Conversations - who's talking to who?
Statistics -> Endpoints - a pattern may fall out of here that isn't apparent in Conversations.

Would expect a DDoS to many sources to one (or few) destinations.
And a port scan to be one source to many destinations (IPs, ports).

link

Comments

thank you for your reply, i don't have experience in wireshark is this a port scan or DDOS ? based on what 32 42.070380 172.16.112.50 135.13.216.191 TCP 60 27 → 23060 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0 33 48.079970 135.13.216.191 172.16.112.50 TCP 60 23061 → 28 [SYN] Seq=0 Win=512 Len=0 MSS=1460 34 48.080457 172.16.112.50 135.13.216.191 TCP 60 28 → 23061 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0 35 54.089973 135.13.216.191 172.16.112.50 TCP 60 23062 → 29 [SYN] Seq=0 Win=512 Len=0 MSS=1460 36 54.090438 172.16.112.50 135.13.216.191 TCP 60 29 → 23062 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0 37 60.099924 135.13 ...(more)

nnammar ( Apr 28 '0 )

Nmap Reference Guide is a pretty good start to learn about port scans.

Chuckc ( Apr 28 '0 )

add a comment

If I have a network trace, how can I differentiate a DDOS attack from a port scan?

1 Answer

Comments

Your Answer

Question Tools

Stats

If I have a network trace, how can I differentiate a DDOS attack from a port scan? savecancel

1 Answer

Comments