Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- A Very stupid filter using tshark to see a HTTP DDoS statistics.
- I made a filter to capture only TCP destination port 80. I want to see the requests and whether I receive any confirmation (ACK) as response.
- ## Filter explained
- Only TCP SYN request: tcp.flags.syn==1 && tcp.flags.ack==0
- Only ACK response: tcp.flags == 0x0010
- Statistics within 60s: io,stat,60,
- ### Legitimate traffic
- tshark -n -l -qz "io,stat,60,tcp.flags.syn==1 && tcp.flags.ack==0,tcp.flags == 0x0010" -r http.pcap
- ===================================================================
- IO Statistics
- Interval: 60.000 secs
- Column #0: tcp.flags.syn==1 && tcp.flags.ack==0
- Column #1: tcp.flags == 0x0010
- | Column #0 | Column #1
- Time |frames| bytes |frames| bytes
- 000.000-060.000 23 1702 92 6072
- 060.000-120.000 30 2220 120 7920
- 120.000-180.000 35 2590 137 9042
- 180.000-240.000 30 2220 120 7920
- 240.000-300.000 30 2220 120 7920
- 300.000-360.000 29 2146 116 7656
- 360.000-420.000 30 2220 120 7920
- 420.000-480.000 36 2664 141 9306
- 480.000-540.000 29 2146 116 7656
- 540.000-600.000 30 2220 120 7920
- 600.000-660.000 7 518 28 1848
- ### Malicious traffic
- tshark -n -l -qz "io,stat,60,tcp.flags.syn==1 && tcp.flags.ack==0,tcp.flags == 0x0010" -r mal.pcap
- ===================================================================
- IO Statistics
- Interval: 60.000 secs
- Column #0: tcp.flags.syn==1 && tcp.flags.ack==0
- Column #1: tcp.flags == 0x0010
- | Column #0 | Column #1
- Time |frames| bytes |frames| bytes
- 000.000-060.000 27422 1645320 0 0
- 060.000-120.000 8504 510240 0 0
- 120.000-180.000 1746 104802 6 396
- ===================================================================
- The number of requests (Column #0) and responses (Column #1:) at Legitimate traffic follows a proportion. However, the amount of requests without responses at Malicious traffic is notable. Since TCP SYN flooding attacks use forged IP it is obvious that I would not receive any response.
- If you run 'netstat -nautlp' on the attacked system, one should note that the number of SYN_RECV state increases exponentially.
- ### Generate DDoS attack
- sudo ./t50 -S --flood --dport 80 192.168.0.2
- Best explanation than RFC :)
- http://www.youtube.com/watch?v=sUrM7_G_y7A
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement