Ports only have meaning for TCP (protocol 6) and UDP (protocol 17). In those cases, "0" is an uncommon but possible value. With Netflow V5, the "port" fields are also used to show details for ICMP (protocol 1).
But in this attack, the protocol is random garbage -- 33, 116, 94, 212, 146, 101, 60, 123. (see http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xml for the official list of protocol numbers). No firewall would ever pass such traffic. Based on the large packet size, the only purpose of this attack was to saturate the victim's Internet pipe(s). -Craig ________________________________ From: [email protected] [[email protected]] on behalf of Drew Weaver [[email protected]] Sent: Tuesday, July 12, 2011 7:27 AM To: [email protected] Subject: [Flow-tools] Quick question about output The below output represents a DoS attack that occurred last night. Start End Sif SrcIPaddress SrcP DIf DstIPaddress DstP P Fl Pkts Octets 0711.20:02:26.187 0711.20:02:26.187 29 attacker.ip.add.ress 0 27 victim.ip.add.ress 0 33 0 1 1500 0711.20:02:26.223 0711.20:02:26.323 29 attacker.ip.add.ress 0 27 victim.ip.add.ress 0 116 0 2 3000 0711.20:02:26.247 0711.20:02:26.247 29 attacker.ip.add.ress 0 27 victim.ip.add.ress 0 94 0 1 1500 0711.20:02:26.247 0711.20:02:26.247 29 attacker.ip.add.ress 0 27 victim.ip.add.ress 0 212 0 1 1500 0711.20:02:26.255 0711.20:02:26.255 29 attacker.ip.add.ress 0 27 victim.ip.add.ress 0 146 0 1 1500 0711.20:02:26.271 0711.20:02:26.271 29 attacker.ip.add.ress 0 27 victim.ip.add.ress 0 101 0 1 1500 0711.20:02:26.275 0711.20:02:26.275 29 attacker.ip.add.ress 0 27 victim.ip.add.ress 0 60 0 1 1500 0711.20:02:26.335 0711.20:02:26.335 29 attacker.ip.add.ress 0 27 victim.ip.add.ress 0 123 0 1 1500 Is this a "netflow thing" to show the source port/dst port as 0 or did they actually attack port 0? (or are they fragments?) thanks, -Drew
_______________________________________________ Flow-tools mailing list [email protected] http://mailman.splintered.net/mailman/listinfo/flow-tools
