How do you identify whether a broadcast traffic is normal or is considered an attack such as a DoS attack?, There is some information that the plot or the source that allows me to differentiate between an attack and a normal flow?
Asked
Active
Viewed 673 times
0
-
1Not sure what you mean by broadcast traffic. If you are considering traffic on the network's last IP address/broadcast IP then it will be only local to network, it will never pass pass the gateway, so it cannot cause DoS on a remote host. – Majoris Jun 20 '12 at 03:35
-
The broadcast is also one of the possible ways of disseminating information of any kind into the computer networks. With the broadcast information is broadcast on a node and reaches all the nodes of the network. In a local area network, for example, you can send a message to all members of the same network using a special MAC, which is ethernet FF.FF.FF.FF.FF.FF – fran.sand66 Jun 20 '12 at 04:06
-
1Sending broadcast packets on the broadcast address is only significant to local network. It will not pass the default gateway, and cannot cause DoS over WAN links and Internet. Local DoS concept is in almost nonexistence. To cause DoS attack on a remote host on the internet via WAN links it has to be an unicast packet. – Majoris Jun 20 '12 at 04:21
-
Actually, pre-RFC 2644 routers would forward directed broadcast packets, allowing the delightfully named "Smurf" family of DoS attacks, where you insert a broadcast ping request with the reply address forged to match the target server. – Graham Hill Jun 20 '12 at 16:35
-
If by "broadcast attack" you mean some shmuck in a conference room who absent-mindedly loops your Ethernet network (and you're not running spanning-tree) and causes a broadcast storm... no, it'll be hard to differentiate, but there will be a *lot* of it. – mpontillo Jun 20 '12 at 22:02
1 Answers
1
You'll want to capture the packets with a sniffer, such as Wireshark, and look at the payload and source addresses, and see if it is expected traffic.
Graham Hill
- 15,394
- 37
- 62