Argus Flow reversal with ECRs ?? (fwd)
Russell Fulton
r.fulton at auckland.ac.nz
Tue Feb 15 20:51:36 EST 2000
On Tue, 15 Feb 2000 17:22:58 -0800 (PST) Peter Van Epp <vanepp at sfu.ca>
wrote:
> These analysis papers give the expected replies (which may have changed
> in the wild as a result:
>
> http://staff.washington.edu/dittrich/misc/trinoo.analysis
> http://staff.washington.edu/dittrich/misc/tfn.analysis
>
Is anyone else pondering how to detect communication between master and
slave for these ddos systems using Argus? Systems like TFN2K which
hide content by encryption, use random ports, and random padding to
aid concelment It seems to me that the only way to detect traffic is by
establishing baseline profile for local systems and then looking for
changes. In an enviroment like ours (with 1000s of uncontrolled hosts)
this is impractical.
These system are evolving quite quickly and I suspect that we will soon
see versions that deliberately mimic traffic patterns of existing
services (ICQ or ftp control would be a good canidates) so that one
can't use statistical methods either.
Russell Fulton, The University of Auckland. New Zealand.
More information about the argus
mailing list