Detecting SYN Flood Attacks with Colasoft Capsa

Denial-of-service attack (DoS attack) is a malicious attack to make a machine or network resource unavailable to users, usually by temporarily or indefinitely disrupting services of a host connected to the Internet. (US-CERT 2013)

Today, DoS attack is a common cyber-attack on the network. According to the statistics, every three seconds, there is a DoS attack happening on the Internet. The low cost of launching a DoS attack is one of the major causes of frequent DoS attacks.

Some of the most commonly used DoS attack types include Ping of Death, Teardrop, WinNuk, UDP flood, TCP SYN flood, IP Spoofing, Land Attack, Smurf, ICMP flood, etc.

In this article, we will show you how to detect SYN flood attacks using a network analyzer named Colasoft Capsa.

You can download some awesome tools here - Including the Freeware Capsa -

Free Tool Download, including Capsa free - Click Here!

In order to analyze DoS attacks (and Others) , I suggest you follow the three steps below:

1. Observations - Most hosts which are under DoS attack will show high CPU and memory usage or the network bandwidth is occupied by garbage traffic.

2. Analysis - We can analyze and locate the attacks by decoding the raw packets. In this way, we will get protocols and behaviors of packets. Compare these information with attack signature, then we can locate the actual attack type.

3. Locate issues - With TCP/UDP session and chart function, we can more accurately and quickly locate DOS attacks.

Now, I will give you an example to show you the detailed steps using the visual capabilities of Capsa!

The Dashboard view dynamically displays statistics with various charts. In Dashboard view, the first graph definitely points out our network has the anomaly traffic. Because the utilization of our network almost reached to 100％. Then, go to Summary view to check summary data statistics.

Figure 1. Statistical charts

Under the Summary view, summary statistics of current capture are displayed. According to these statistics, we can find out there are too many small size packets in the network. In addition, the count of TCP conversations and TCP SYN sent packets are abnormal.

Figure 2. Summary data statistics

Then, go to TCP Conversation view to check up abnormal TCP conversations. From this view, we can see this IP address “4.79.142.202” received a lot of packets from random Internet IP addresses. All these random Internet IP addresses sent the same 64 bytes packet to 80 port on the host “4.79.142.202”.

Figure 3. TCP conversations

Besides, with Matrix view, it shows that almost 10,000 hosts have conversations with the host “4.79.142.202”.

Figure 4. Matrix graph

Last, by decoding TCP packets, we can see the Time Sequence diagram of TCP conversations. The host “4.79.142.202” received repeated SYN packets from different Internet IP addresses. But TCP three-way handshake didn’t establish normally in every TCP conversation.

Figure 5. Time Sequence diagram

Combine with the above information, we can identify that there are SYN Flood Attacks happened in our network. And IP address of the targeted server is “4.79.142.202”. Because of the attack, it caused the abnormal traffic and consumed our network resources.

Author Profile - Jack Wei is a technical engineer at Colasoft. Jack has more than three years’ working experience in IT and has concentrated in network administration, network security analysis based on packet sniffer software and network troubleshooting. He loves to study new computer technologies and enjoys different challenges.

Colasoft Technical Engineer - jack.wei@colasoft.com

Visit us for more information at www.colasoft.com