detecting syn-ack
Riccardo Veraldi
Riccardo.Veraldi at cnaf.infn.it
Wed Jul 14 09:26:26 EDT 2010
hello,
I would like to print all the SYN/ACK occurrence to detect possible SYN
flood attacks.
data is collected useing radium and reading from Netflow source.
I use a filter like this
ra -r radium.out - proto TCP and syn
Anyway I did not expect to see also FIN packets
ra -r radium.out - proto TCP and syn | grep FIN
11:55:54.832000 Ne tcp 1.8.247.1.http
-> 100.0.7.3.19333 4 216 FIN
11:55:53.648000 Ne tcp 1.1.97.1.http
-> 100.0.7.3.61745 4 216 FIN
11:55:54.000000 Ne tcp 100.0.194.1.http
-> 100.0.7.3.9159 3 565 FIN
11:55:54.600000 Ne tcp 1.0.78.6.http
-> 100.0.7.3.62652 3 164 FIN
11:55:54.864000 Ne tcp 197.0.23.1.http
-> 100.0.7.3.11496 4 216 FIN
11:55:55.916000 Ne tcp 1.1.104.1.http
-> 100.0.7.3.3783 3 164 FIN
11:55:55.092000 Ne tcp 197.0.111.1.http
-> 100.0.7.3.11604 4 216 FIN
11:55:55.220000 Ne tcp 1.1.103.1.http
-> 100.0.7.3.7808 3 164 FIN
11:55:55.988000 Ne tcp 1.8.247.1.http
-> 100.0.7.3.19342 3 164 FIN
11:55:56.036000 Ne tcp 197.0.78.3.http
-> 100.0.7.3.9540 4 216 FIN
11:55:56.112000 Ne tcp 1.1.109.1.http
-> 100.0.7.3.5153 3 164 FIN
11:55:56.256000 Ne tcp 1.12.83.1.http
-> 100.0.7.3.22307 3 164 FIN
11:55:56.264000 Ne tcp 1.8.247.1.http
-> 100.0.7.3.19349 4 216 FIN
11:55:56.324000 Ne tcp 1.0.44.1.http
-> 100.0.7.3.9434 3 164 FIN
11:55:56.372000 Ne tcp 1.8.247.1.http
-> 100.0.7.3.19351 4 216 FIN
is this normal ?
shouldn't I See only something like CON or EST or ACC ?
thanks
Riccardo
More information about the argus
mailing list