Description
Solution
The article provides information on how DDoS logs are generated when a sensor is matched.
Solution
The attack logs are generated every 30 seconds after the beginning of the attack or before 30 seconds if the traffic does not last for more than 30 seconds.
The first number xxx in "xxx > threshold yyy" is the number of packets received in the latest second at the time the log is triggered.
The repeat number aaa in "repeats aaa times" is how many entries are aggregated, that is the number of packets that meet the threshold, during the period of last log and the current log were generated.
The following examples illustrate:
Example 1
The test was made with the following hping command:
Example 2
The same test was made from 2 different IP sources: 10.129.0.25 and 10.129.0.30.
Note that the log entry contains only the last seen @IPsrc, @IPdest et PortDest.
The first number xxx in "xxx > threshold yyy" is the number of packets received in the latest second at the time the log is triggered.
The repeat number aaa in "repeats aaa times" is how many entries are aggregated, that is the number of packets that meet the threshold, during the period of last log and the current log were generated.
The following examples illustrate:
- An UDP flood attack was generated on port 3000.
- The UDP_flood sensor was limited to 1 PPS.
Example 1
The test was made with the following hping command:
hping3 --udp -p 3000 10.129.3.186 --fast -c 3000
Example 2
The same test was made from 2 different IP sources: 10.129.0.25 and 10.129.0.30.
Note that the log entry contains only the last seen @IPsrc, @IPdest et PortDest.
