NetFlow Logic Documentation
HomeDownloadsFree TrialNFO 2.9 Documetation
Search…
NFO 2.8.1
NetFlow Logic Documetation
NetFlow Optimizerâ„¢ (NFO) Overview
Core Products
NFO Installation Guide
NFO Administration Guide
NFO User Guide
EDFN Installation Guide
EDFN Administration Guide
Release Notes
Integrations and Apps
NetFlow Analytics for Splunk
Integration with Splunk Enterprise Security
Integration with Elasticsearch
Network Metrics Content Pack for VMware vRealize Log Insight
Solutions
Cloud Application Visibility & Security
NetFlow-based DDoS Detection
Introduction
Solution Components
NetFlow Optimizer
DDoS Detector Module
DDoS Detector for Splunk App
Appendix 1 - Basic DDoS Attack Types
Appendix 2 - Syslog Formats
V2P Network Visibility
FAQ
Frequently Asked Questions
SUPPORT
Troubleshooting Guide
Support Overview
Powered By GitBook
Appendix 1 - Basic DDoS Attack Types

Attack Types and Indicators

Attack Type
Textual identifier
Abnormal ICMP traffic
1-ICMP
Abnormal TCP traffic
1-TCP
Abnormal UDP traffic
1-UDP
Abnormal new IP addresses arrival rate
2
Abnormal network traffic entropy value
3
SYN flood
4-SYN
SYN-ACK flood
4-SYN-ACK
ACK flood
4-ACK
PSH - ACK flood
4-PSH-ACK
FIN/RST flood
4-FIN/RST
TCP-based application level protocol (e.g. HTTP) flood
7-TCP-<protocol>
UDP-based application level protocol (e.g. DNS) flood
7- UDP-<protocol>
"Tsunami" SYN flood
7-TSU-<protocol>
"Low and Slow" attack
9 - LS
TCP SYN flood from a relatively small attacking population
1-TCP:4-SYN
TCP SYN-ACK flood from a relatively small attacking population
1-TCP:4-SYN-ACK
TCP FIN/RST flood from a relatively small attacking population
1-TCP:4-FIN/RST
TCP SYN flood from a large attacking population
1-TCP:4-SYN:2
TCP SYN-ACK flood from a large attacking population
1-TCP:4-SYN-ACK:2
Previous
Alerts
Next
Appendix 2 - Syslog Formats
Last modified 2yr ago
Copy link