The below output represents a DoS attack that occurred last night.
Start End Sif SrcIPaddress
SrcP DIf DstIPaddress DstP P Fl Pkts Octets
0711.20:02:26.187 0711.20:02:26.187 29 attacker.ip.add.ress 0 27
victim.ip.add.ress 0 33 0 1 1500
0711.20:02:26.223 0711.20:02:26.323 29 attacker.ip.add.ress 0 27
victim.ip.add.ress 0 116 0 2 3000
0711.20:02:26.247 0711.20:02:26.247 29 attacker.ip.add.ress 0 27
victim.ip.add.ress 0 94 0 1 1500
0711.20:02:26.247 0711.20:02:26.247 29 attacker.ip.add.ress 0 27
victim.ip.add.ress 0 212 0 1 1500
0711.20:02:26.255 0711.20:02:26.255 29 attacker.ip.add.ress 0 27
victim.ip.add.ress 0 146 0 1 1500
0711.20:02:26.271 0711.20:02:26.271 29 attacker.ip.add.ress 0 27
victim.ip.add.ress 0 101 0 1 1500
0711.20:02:26.275 0711.20:02:26.275 29 attacker.ip.add.ress 0 27
victim.ip.add.ress 0 60 0 1 1500
0711.20:02:26.335 0711.20:02:26.335 29 attacker.ip.add.ress 0 27
victim.ip.add.ress 0 123 0 1 1500
Is this a "netflow thing" to show the source port/dst port as 0 or did they
actually attack port 0? (or are they fragments?)
thanks,
-Drew
_______________________________________________
Flow-tools mailing list
[email protected]
http://mailman.splintered.net/mailman/listinfo/flow-tools
