|
1
|
FILTER: {"$and": [{"Category" : "Availability.DoS"}, {"Node.Type": "Flow"}, {"Node.Type": "Statistical"}]}
|
|
2
|
!!! DOS 'Availability.DoS:Test_+++_Flow:Statistical_+++_*__+++_Abnormally_high_number_of_TCP_SYN_packets_received_by_x_(probably_SYN_flood_attack)': 4,
|
|
3
|
!!! DOS 'Availability.DoS:Test_+++_Flow:Statistical_+++_*__+++_Abnormally_high_number_of_packets_emmited_by_x_(probably_flooding_DoS_attack)': 2104,
|
|
4
|
!!! DOS 'Availability.DoS:Test_+++_Flow:Statistical_+++_*__+++_Abnormally_high_number_of_packets_received_by_x_(probably_flooding_DoS_attack)': 6323,
|
|
5
|
!!! DOS 'Availability.DoS_+++_Flow:Statistical_+++_*__+++_*': 2,
|
|
6
|
!!! DOS 'Availability.DoS_+++_Flow:Statistical_+++_*__+++_Abnormally_high_number_of_TCP_SYN_packets_emitted_by_x_(probably_SYN_flood_attack)': 27,
|
|
7
|
!!! DOS 'Availability.DoS_+++_Flow:Statistical_+++_*__+++_Abnormally_high_number_of_TCP_SYN_packets_received_by_x_(probably_SYN_flood_attack)': 60,
|
|
8
|
!!! DOS 'Availability.DoS_+++_Flow:Statistical_+++_*__+++_Abnormally_high_number_of_packets_emitted_by_x_(probably_flooding_DoS_attack)': 214,
|
|
9
|
!!! DOS 'Availability.DoS_+++_Flow:Statistical_+++_*__+++_Abnormally_high_number_of_packets_received_by_x_(probably_flooding_DoS_attack)': 7106,
|
|
10
|
!!! DOS 'Availability.DoS_+++_Flow:Statistical_+++_*__+++_x_received_abnormally_high_number_of_large_DNS_replies_-_probably_a_victim_of_DNS_amplification_DoS_attack': 3449,
|
|
11
|
!!! DOS 'Availability.DoS_+++_Flow:Statistical_+++_Backscatter_+++_DNS_amplification': 1774,
|
|
12
|
!!! DOS 'Availability.DoS_+++_Flow:Statistical_+++_Backscatter_+++_x_sent_abnormally_high_number_of_large_DNS_replies_-_it_was_probably_misused_for_DNS_amplification_DoS_attack': 2339,
|
|
13
|
LABEL_CZ: Útok typu odepření služby
|
|
14
|
LABEL_EN: Denial of service attack
|
|
15
|
SEVERITY: 1
|
|
16
|
URL: https://csirt.cesnet.cz/cs/services
|
|
17
|
|
|
18
|
---
|
|
19
|
|
|
20
|
!!! DOS 'Availability.DoS:Test_+++_Relay_+++_*__+++_Denial_of_service_attack': 28,
|
|
21
|
|
|
22
|
Flow
|
|
23
|
netflow based analysis (FTAS, FlowMon, …)
|
|
24
|
|
|
25
|
Statistical
|
|
26
|
statistical anomaly analysis (SpamAssassin, SSHGuard, usually netflow based detectors)
|
|
27
|
|
|
28
|
'Category': ['Availability.DoS', 'Test'],
|
|
29
|
'Description': 'Denial of service attack',
|
|
30
|
'DetectTime': b'\xdbV\xa3H\x00\x00\x00\x00',
|
|
31
|
'EventTime': b'\xdbV\xa3*\x00\x00\x00\x00',
|
|
32
|
'Format': 'IDEA0',
|
|
33
|
'ID': '64d21a6d-4680-42a3-9e7d-309ce3286bbc',
|
|
34
|
'Node': [ {'Name': 'cz.cesnet.mentat.warden_filer', 'Type': ['Relay']},
|
|
35
|
{ 'Name': 'org.liberouter.collector_invea.flowmonads',
|
|
36
|
'Type': ['Relay']}],
|
|
37
|
|
|
38
|
---
|
|
39
|
|
|
40
|
At its core NSHaRP leverages the power of Netreflex that uses netflow from the GÉANT network to detect and report on incidents.
|
|
41
|
!!! DOS 'Availability.DoS_+++_External:Policy_+++_*__+++_DoS_Attack': 24,
|
|
42
|
|
|
43
|
'Description': 'DoS Attack',
|
|
44
|
'DetectTime': b'\xda\xe6\xf1{\x00\x00\x00\x00',
|
|
45
|
'Duration': '00:00:59.8889999389648',
|
|
46
|
'Format': 'IDEA0',
|
|
47
|
'ID': '1-1463576318.645503-ZUHWK6m03eft',
|
|
48
|
'Node': [ {'Name': 'cz.cesnet.mentat.warden_filer', 'Type': ['Relay']},
|
|
49
|
{'Name': 'cz.cesnet.au1.warden_filer', 'Type': ['Relay']},
|
|
50
|
{ 'Name': 'cz.cesnet.ext.nsharp',
|
|
51
|
'SW': ['NSHARP'],
|
|
52
|
'Type': ['External', 'Policy']}],
|
|
53
|
'PacketCount': 1077600,
|
|
54
|
'Source': [ { 'IP4': [ { 'ip': b'\x93\xe7\x04\xa3',
|
|
55
|
'max': b'\x93\xe7\x04\xa3',
|
|
56
|
'min': b'\x93\xe7\x04\xa3'}],
|
|
57
|
'Port': [64992],
|
|
58
|
'Proto': ['TCP']}],
|
|
59
|
'Target': [ { 'IP4': [ { 'ip': b'_\xa8\xd0H',
|
|
60
|
'max': b'_\xa8\xd0H',
|
|
61
|
'min': b'_\xa8\xd0H'}],
|
|
62
|
|
|
63
|
---
|
|
64
|
FILTER: {"$and": [{"Category" : "Availability.DDoS"}, {"Source.Proto": "dns"}]}
|
|
65
|
!!! DOS 'Availability.DDoS_+++_Flow:Statistical_+++_Backscatter_+++_DNS_amplification': 1283,
|
|
66
|
!!! DOS 'Availibility.DDoS:Test_+++_*__+++_*__+++_DNS_amplification': 3826,
|
|
67
|
!!! DOS 'Availibility.DDoS_+++_*__+++_*__+++_DNS_amplification': 217,
|
|
68
|
!!! DOS 'Availibility.DDoS_+++_*__+++_Backscatter_+++_DNS_amplification': 801,
|
|
69
|
LABEL_CZ: Útok typu odepření služby (DNS amplification)
|
|
70
|
LABEL_EN: Distributed Denial of service attack (DNS amplification)
|
|
71
|
SEVERITY: 1
|
|
72
|
URL: https://csirt.cesnet.cz/cs/services
|