If I have a network trace, how can I differentiate a DDOS attack from a port scan?
differentiation between ddos and port scan
differentiation between ddos and port scan
Work down through the Wireshark Statistics
menu.
Statistics -> Capture File Properties
- get a feel for what's in capture.
Statistics -> Protocol Hierarchy
- what's the traffic mix?
Statistics -> Conversations
- who's talking to who?
Statistics -> Endpoints
- a pattern may fall out of here that isn't apparent in Conversations.
Would expect a DDoS to many sources to one (or few) destinations.
And a port scan to be one source to many destinations (IPs, ports).
thank you for your reply, i don't have experience in wireshark is this a port scan or DDOS ? based on what 32 42.070380 172.16.112.50 135.13.216.191 TCP 60 27 → 23060 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0 33 48.079970 135.13.216.191 172.16.112.50 TCP 60 23061 → 28 [SYN] Seq=0 Win=512 Len=0 MSS=1460 34 48.080457 172.16.112.50 135.13.216.191 TCP 60 28 → 23061 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0 35 54.089973 135.13.216.191 172.16.112.50 TCP 60 23062 → 29 [SYN] Seq=0 Win=512 Len=0 MSS=1460 36 54.090438 172.16.112.50 135.13.216.191 TCP 60 29 → 23062 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0 37 60.099924 135.13 ...(more)
Nmap Reference Guide is a pretty good start to learn about port scans.
Please start posting anonymously - your entry will be published after you log in or create a new account.
Asked: 2020-04-27 16:33:48 +0000
Seen: 486 times
Last updated: Apr 28 '20