A user finds abnormal traffic before launching a new system. After capturing packets using wireshark, view the summary view and find that there are nearly 4000 packets per second, with an average packet length of 991 bytes, as shown in:
We can view the connection status in the coversations view and find that in an IP connection session, the number of packets that the source host interacts with three IP addresses, namely 113.105.171.88, 121.12.110.60, and 121.12.110.61, is much greater than that of other IP addresses, as shown in:
Let's look at the TCP session and find that the interaction features are obvious. They send a 1024-byte message, as shown in:
Back to the data packet View:
It seems that basically all SYN packets, but the conventional SYN packets only have 64 bytes, and there is no application layer data. Here it shows that there are 970 bytes of application layer data, which is obviously unreasonable.
We can view the specific decoding of these packets, as shown in:
It is found that the application layer data with a length of 970 bytes is "0.
Based on the above analysis, it can be basically determined that hackers use the acquired machine to send SYN Flood attack packets containing 970 bytes of Application Data filled with "0" to the fixed host, in addition to the SYNflood attack effect on the server, it also consumes a lot of bandwidth resources at the Internet egress of the attacked host to achieve a comprehensive Denial-of-Service attack effect.
The conventional DOS attack methods have previously met and handled quite a lot, but this clever and more efficient hybrid DOS attack method is rare in actual work. It is worth remembering for your reference.