Project

General

Profile

Feature #2903 » dos.txt

Radomír Orkáč, 10/17/2016 09:58 PM

 
1
FILTER: {"$and": [{"Category" : "Availability.DoS"}, {"Node.Type": "Flow"}, {"Node.Type": "Statistical"}]}
2
!!! DOS 'Availability.DoS:Test_+++_Flow:Statistical_+++_*__+++_Abnormally_high_number_of_TCP_SYN_packets_received_by_x_(probably_SYN_flood_attack)': 4,
3
!!! DOS 'Availability.DoS:Test_+++_Flow:Statistical_+++_*__+++_Abnormally_high_number_of_packets_emmited_by_x_(probably_flooding_DoS_attack)': 2104,
4
!!! DOS 'Availability.DoS:Test_+++_Flow:Statistical_+++_*__+++_Abnormally_high_number_of_packets_received_by_x_(probably_flooding_DoS_attack)': 6323,
5
!!! DOS 'Availability.DoS_+++_Flow:Statistical_+++_*__+++_*': 2,
6
!!! DOS 'Availability.DoS_+++_Flow:Statistical_+++_*__+++_Abnormally_high_number_of_TCP_SYN_packets_emitted_by_x_(probably_SYN_flood_attack)': 27,
7
!!! DOS 'Availability.DoS_+++_Flow:Statistical_+++_*__+++_Abnormally_high_number_of_TCP_SYN_packets_received_by_x_(probably_SYN_flood_attack)': 60,
8
!!! DOS 'Availability.DoS_+++_Flow:Statistical_+++_*__+++_Abnormally_high_number_of_packets_emitted_by_x_(probably_flooding_DoS_attack)': 214,
9
!!! DOS 'Availability.DoS_+++_Flow:Statistical_+++_*__+++_Abnormally_high_number_of_packets_received_by_x_(probably_flooding_DoS_attack)': 7106,
10
!!! DOS 'Availability.DoS_+++_Flow:Statistical_+++_*__+++_x_received_abnormally_high_number_of_large_DNS_replies_-_probably_a_victim_of_DNS_amplification_DoS_attack': 3449,
11
!!! DOS 'Availability.DoS_+++_Flow:Statistical_+++_Backscatter_+++_DNS_amplification': 1774,
12
!!! DOS 'Availability.DoS_+++_Flow:Statistical_+++_Backscatter_+++_x_sent_abnormally_high_number_of_large_DNS_replies_-_it_was_probably_misused_for_DNS_amplification_DoS_attack': 2339,
13
LABEL_CZ: Útok typu odepření služby
14
LABEL_EN: Denial of service attack 
15
SEVERITY: 1 
16
URL: https://csirt.cesnet.cz/cs/services
17

    
18
---
19

    
20
!!! DOS 'Availability.DoS:Test_+++_Relay_+++_*__+++_Denial_of_service_attack': 28,
21

    
22
Flow
23
netflow based analysis (FTAS, FlowMon, …)
24

    
25
Statistical
26
statistical anomaly analysis (SpamAssassin, SSHGuard, usually netflow based detectors)
27

    
28
    'Category': ['Availability.DoS', 'Test'],
29
    'Description': 'Denial of service attack',
30
    'DetectTime': b'\xdbV\xa3H\x00\x00\x00\x00',
31
    'EventTime': b'\xdbV\xa3*\x00\x00\x00\x00',
32
    'Format': 'IDEA0',
33
    'ID': '64d21a6d-4680-42a3-9e7d-309ce3286bbc',
34
    'Node': [   {'Name': 'cz.cesnet.mentat.warden_filer', 'Type': ['Relay']},
35
                {   'Name': 'org.liberouter.collector_invea.flowmonads',
36
                    'Type': ['Relay']}],
37

    
38
---
39

    
40
At its core NSHaRP leverages the power of Netreflex that uses netflow from the GÉANT network to detect and report on incidents.
41
!!! DOS 'Availability.DoS_+++_External:Policy_+++_*__+++_DoS_Attack': 24,
42

    
43
    'Description': 'DoS Attack',
44
    'DetectTime': b'\xda\xe6\xf1{\x00\x00\x00\x00',
45
    'Duration': '00:00:59.8889999389648',
46
    'Format': 'IDEA0',
47
    'ID': '1-1463576318.645503-ZUHWK6m03eft',
48
    'Node': [   {'Name': 'cz.cesnet.mentat.warden_filer', 'Type': ['Relay']},
49
                {'Name': 'cz.cesnet.au1.warden_filer', 'Type': ['Relay']},
50
                {   'Name': 'cz.cesnet.ext.nsharp',
51
                    'SW': ['NSHARP'],
52
                    'Type': ['External', 'Policy']}],
53
    'PacketCount': 1077600,
54
    'Source': [   {   'IP4': [   {   'ip': b'\x93\xe7\x04\xa3',
55
                                     'max': b'\x93\xe7\x04\xa3',
56
                                     'min': b'\x93\xe7\x04\xa3'}],
57
                      'Port': [64992],
58
                      'Proto': ['TCP']}],
59
    'Target': [   {   'IP4': [   {   'ip': b'_\xa8\xd0H',
60
                                     'max': b'_\xa8\xd0H',
61
                                     'min': b'_\xa8\xd0H'}],
62

    
63
---
64
FILTER: {"$and": [{"Category" : "Availability.DDoS"}, {"Source.Proto": "dns"}]}
65
!!! DOS 'Availability.DDoS_+++_Flow:Statistical_+++_Backscatter_+++_DNS_amplification': 1283,
66
!!! DOS 'Availibility.DDoS:Test_+++_*__+++_*__+++_DNS_amplification': 3826,
67
!!! DOS 'Availibility.DDoS_+++_*__+++_*__+++_DNS_amplification': 217,
68
!!! DOS 'Availibility.DDoS_+++_*__+++_Backscatter_+++_DNS_amplification': 801,
69
LABEL_CZ: Útok typu odepření služby (DNS amplification) 
70
LABEL_EN: Distributed Denial of service attack (DNS amplification) 
71
SEVERITY: 1 
72
URL: https://csirt.cesnet.cz/cs/services
(2-2/7)