I am looking for some examples of log files for DoS or DDoS attacks that show a SYN Flood or a HTTP/Layer 7 Flood. I have had a google, but can't seem to find anything.
Would the incoming packet sizes differ between a SYN Flood and a Layer 7 Flood?
Would all rejected packets have the same source port despite having different source addresses (IPs)?
I can almost safely say that I don't think the traffic will look any different from normal traffic. There will be a higher volume of traffic but in terms of what it would actually look like, it's going to look the same.
Obviously if it's a DDoS the traffic will be coming from different source IP addresses meaning it will be quite hard to distinguish between real requests vs false ones especially if you have A LOT of REAL traffic passing through the firewall. Also the issue you will face is the fact that in a SYN flood you purposely keep the connection open...
I suggest you read this - https://www.incapsula.com/ddos/attack-glossary/syn-flood.html
It shows a few methods of stopping such attacks but at the end of the day the traffic will look the same. I guess if you see sessions that have been open for an usually large amount of time that would indicate but again if it's a busy firewall then you should expect such connections that are actually legitimate.
This issue can be solved easily with the use of Wireshark.
WIreshark will give you an idea of all the incoming and outgoing connections. Also you get to observe TCP/IP SYN and ACK flags. The process of creating the encrypted channel for HTTPS and also other protocols can be observed here.
When you start receiving the SYN flags from random IP addresses, and do not receive the ACK Flags (from the sources which raised the SYN flags), you know that you have a DOS/DDOS attack in progress. Usually system/network administrators use Wireshark at the firewall to observe this.
