Unusual appearance inbreaks in the network under the basis the system that monitor establishs corresponding regulation, can monitor a DDoS attack well and truly.
Unusual appearance 0: Although this is not real "DDoS" news report, but the source that can use affirmatory DDoS to atttack however. According to the analysis, aggressor wants the leader name of analytic target always before undertaking DDoS is atttacked. Server of BIND domain name can record these requests. Because every atttack the meeting before the server is having a charge,give out PTR to inquire a request reversely, the PTR that can receive name of many leader of IP of retrorse and analytic target in server of the domain name before DDoS is atttacked that is to say inquires a request.
Unusual appearance 1: When DDoS atttacks a site, can appear to exceed the phenomenon of the ultimate communication discharge when this network works normally apparently. Present technology can part to give corresponding limiting value to different source address computation. Make clear the communication that existence DDoS atttacks when exceeding this limiting value apparently. Because this can be in trunk road by implement end builds ACL to visit control regulation to be mixed in order to monitor filter these communication.
Unusual appearance 2: The ICP of oversize and UDP data are wrapped. Normal UDP conversation uses small UDP parcel commonly, normally available data content does not exceed 10 byte. Regular ICMP news also won't exceed 64 to arrive 128 byte. Very much likely control news news report uses those size get much data to wrap greatly apparently, basically contain add close the target address after and option of a few orders. Once capture (forge without the course) control news news report, the position of DDoS server does not have place escape form, because dominate data of news news report,the target address of the bag was not forged.
Unusual appearance 3: Do not belong to the TCP of normal join communication and UDP data bag. Most covert DDoS tool uses a variety of communication agreements randomly (include to be based on connective agreement) transmit data without join passageway through be based on. Outstanding firewall and road can be discovered by regulation these data are wrapped. Additional, those receive prep above repeatedly 1024 and the data bag of the target port that does not belong to service of commonly used network also is very suspectable.
Unusual appearance 4: Data paragraph content includes character and digital character only (for example, without blank space, punctuation and control character) data bag. This often is data after coding through BASE64 and the feature that can contain character of Base64 character set only. The control information data that TFN2K transmits is wrapped even if this sort data bag. TFN2K (reach its mutation) feature mode is in data paragraph in have character of a string of A (AAA…… ) , this is occupy paragraph of size and the result after adding close algorithm through adjusting number. If do not have use BASE64 encode, add bag of secret algorithmic data to was being used, this successive character is “Θ” .
Previous12 Next