Argus Flow reversal with ECRs ?? (fwd)

Russell Fulton r.fulton at
Tue Feb 15 20:51:36 EST 2000

On Tue, 15 Feb 2000 17:22:58 -0800 (PST) Peter Van Epp <vanepp at> 

> 	These analysis papers give the expected replies (which may have changed
> in the wild as a result:

Is anyone else pondering how to detect communication between master and 
slave for these ddos systems using Argus?  Systems like TFN2K which 
hide content by encryption, use random ports, and random padding to 
aid concelment It seems to me that the only way to detect traffic is by 
establishing baseline profile for local systems and then looking for 
changes.  In an enviroment like ours (with 1000s of uncontrolled hosts) 
this is impractical.  

These system are evolving quite quickly and I suspect that we will soon 
see versions that deliberately mimic traffic patterns of existing 
services (ICQ or ftp control would be a good canidates) so that one 
can't use statistical methods either.

Russell Fulton,  The University of Auckland.  New Zealand.

More information about the argus mailing list