If I have a network trace, how can I differentiate a DDOS attack from a port scan?
differentiation between ddos and port scan
1 Answer
- Sort by
oldest newest most voted
2
Work down through the Wireshark Statistics menu.
Statistics -> Capture File Properties - get a feel for what's in capture.
Statistics -> Protocol Hierarchy - what's the traffic mix?
Statistics -> Conversations - who's talking to who?
Statistics -> Endpoints - a pattern may fall out of here that isn't apparent in Conversations.
Would expect a DDoS to many sources to one (or few) destinations.
And a port scan to be one source to many destinations (IPs, ports).
Comments
thank you for your reply, i don't have experience in wireshark is this a port scan or DDOS ? based on what 32 42.070380 172.16.112.50 135.13.216.191 TCP 60 27 → 23060 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0 33 48.079970 135.13.216.191 172.16.112.50 TCP 60 23061 → 28 [SYN] Seq=0 Win=512 Len=0 MSS=1460 34 48.080457 172.16.112.50 135.13.216.191 TCP 60 28 → 23061 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0 35 54.089973 135.13.216.191 172.16.112.50 TCP 60 23062 → 29 [SYN] Seq=0 Win=512 Len=0 MSS=1460 36 54.090438 172.16.112.50 135.13.216.191 TCP 60 29 → 23062 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0 37 60.099924 135.13 ...
Nmap Reference Guide is a pretty good start to learn about port scans.
Your Answer
Please start posting anonymously - your entry will be published after you log in or create a new account.
This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.
Comments