Ask Your Question
0

If I have a network trace, how can I differentiate a DDOS attack from a port scan?

asked 2020-04-27 16:33:48 +0000

updated 2020-04-28 04:21:50 +0000

Guy Harris gravatar image

differentiation between ddos and port scan

edit retag flag offensive close merge delete

1 Answer

Sort by » oldest newest most voted
2

answered 2020-04-27 19:27:01 +0000

Chuckc gravatar image

Work down through the Wireshark Statistics menu.

Statistics -> Capture File Properties - get a feel for what's in capture.
Statistics -> Protocol Hierarchy - what's the traffic mix?
Statistics -> Conversations - who's talking to who?
Statistics -> Endpoints - a pattern may fall out of here that isn't apparent in Conversations.

Would expect a DDoS to many sources to one (or few) destinations.
And a port scan to be one source to many destinations (IPs, ports).

edit flag offensive delete link more

Comments

thank you for your reply, i don't have experience in wireshark is this a port scan or DDOS ? based on what 32 42.070380 172.16.112.50 135.13.216.191 TCP 60 27 → 23060 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0 33 48.079970 135.13.216.191 172.16.112.50 TCP 60 23061 → 28 [SYN] Seq=0 Win=512 Len=0 MSS=1460 34 48.080457 172.16.112.50 135.13.216.191 TCP 60 28 → 23061 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0 35 54.089973 135.13.216.191 172.16.112.50 TCP 60 23062 → 29 [SYN] Seq=0 Win=512 Len=0 MSS=1460 36 54.090438 172.16.112.50 135.13.216.191 TCP 60 29 → 23062 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0 37 60.099924 135.13 ...(more)

nnammar gravatar imagennammar ( 2020-04-28 09:08:58 +0000 )edit

Nmap Reference Guide is a pretty good start to learn about port scans.

Chuckc gravatar imageChuckc ( 2020-04-28 14:51:25 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2020-04-27 16:33:48 +0000

Seen: 100 times

Last updated: Apr 28