Problem class catalogue

Advanced Security Analytics Module

 

The table below lists some of the important abbreviations with their fully expanded word/phrase used in this document

 

 

Setting

Description

IP

Internet Protocol Address

Src

Source

Dst

Destination

P2P

Peer to Peer

ToS

Type of Service

DoS

Denial of Service

TCP: U-A-P-R-S-F

TCP: Urg – Ack – Psh – Rst – Syn – Fin

The table below lists the set of classes used for classifying problems with a brief description

 

 

Class Name

Description

Bad Src – Dst

Either the Src IP or the Dst IP of the flow is suspicious

Suspect Flows

Some attribute(s) other than Src IP and Dst IP of the flow is suspicious

DoS

Denial of Service Attack

Scans and Probes

Flows are sent to a specific host using multiple ports or to multiple hosts on single port.

 

 

The table below lists different threshold definitions.

 

Aggregation Limit Settings

Lower Limit

Minimum number of flows required for performing heuristical analysis and verifying the presence of derived problems like Port Scan, Host Scan, Inflood, etc.

Upper Limit

 

Maximum number of flows accrued in a single event under default configuration and it is also the threshold used for base problems like TCP Syn Violations, TCP Fin Violations, etc.

 

Source Pattern Settings

 

Minimum Horizontal Span Minimum number of distinct source hosts - Host Scan (Reverse)
Minimum Vertical Span Minimum number of distinct source ports - Port Scan (Reverse)
Minimum Diagonal Span Minimum number of distinct source end points under the constraint: (source hosts = source ports = source end points) - Diagonal Scan (Reverse)
Minimum Aspect Ratio

1. Minimum source hosts per source ports - Host Scan (Reverse)

2. Minimum source ports per source hosts - Port Scan (Reverse)

Minimum Occupancy Minimum spread of source end points in an Event - Host Scan (Reverse), Port Scan (Reverse),  Grid Scan (Reverse)

 

Occupancy = Source End Points/(Source Hosts * Source Ports)
Minimum Flux Rate Minimum hits per source end points – Outflood
Minumum Divergence Mimimum destination hosts per source hosts - Outflood

 

Destination Pattern Settings

 

Minimum Horizontal Span Minimum number of distinct destination hosts - Host Scan
Minimum Vertical Span Minimum number of distinct destination ports - Port Scan
Minimum Diagonal Span Minimum number of distinct destination end points under the constraint: (destination hosts = destination ports = destination end points) - Diagonal Scan
Minimum Aspect Ratio

1. Minimum source hosts per destination ports - Host Scan

2. Minimum source ports per destination hosts - Port Scan

Minimum Occupancy Minimum spread of destination end points in an Event - Host Scan, Port Scan,  Grid Scan

 

Occupancy = destination End Points/(destination Hosts * destination Ports)
Minimum Flux Rate Minimum hits per destination end points – Inflood
Minumum Convergence Mimimum destination hosts per destination hosts - Inflood

 

 

The table below lists the anomalies detected by advanced security analytics module

 

Anomaly

Description

Attack

Flows from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end .

Inflood

Flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the destination end.

Outflood

 

 

1. Flows from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end.

 

2. Flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the source end.

Port Scan

 

 

1. Flows from single/multiple source hosts to single destination host on multiple destination ports exceeding Minimum Vertical Span at the destination end.

 

2. Flows from single/multiple source hosts to fewer destination hosts on multiple destination ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end.

Host Scan

 

 

1. Flows from single/multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end.

 

2. Flows from single/multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end.

Diagonal Scan

Flows from single/multiple source hosts to multiple destination hosts where the number of distinct destination hosts is equal to the number of distinct destination ports which is also equal to the number of destination end points exceeding Minimum Diagonal Span at the destination end (hosts = ports = endpoints)

Grid Scan

Flows from single/multiple source hosts to multiple destination hosts on multiple destination ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the destination end.

Port Scan(Reverse)

 

1. Flows from single source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span at the source end.

 

2. Flows from fewer source hosts to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the source end.

Host Scan(Reverse)

1. Flows from multiple source hosts to single/multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end.

 

2. Flows from multiple source hosts to single/multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the source end.

Diagonal Scan(Reverse)

 

Flows from multiple source hosts to single/multiple destination hosts where the number of distinct source hosts is equal to the number of distinct source ports which is also equal to the number of source end points exceeding Minimum Diagonal Span at the source end (hosts = ports = endpoints).

Grid Scan(Reverse)

 

Flows from multiple source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the source end.

 

 

The table below lists the set of problems detected, their classification followed by a brief description

 

Problem Name

Description

Class

Excess Broadcast Flows Broadcast traffic exceeds threshold for any given Src IP Bad Src-Dst
Excess Multicast Flows Multicast traffic exceeds threshold for any given Src IP Bad Src-Dst
Excess Networkcast Flows Network IP destined traffic exceeds threshold for any given Src IP Bad Src-Dst
Invalid Src-Dst Flows Invalid Src or Dst IP irrespective of whatever be the enterprise perimeter, for example, Loopback IPs or IANA Local IPs in either Src or Dst IP Bad Src-Dst
Invalid ToS Flows Flows with invalid ToS values Bad Src-Dst
Land Attack Flows Flows with the same Src IP & Dst IP. Causes the target machine to reply to itself continuously Bad Src-Dst
Malformed IP Packets Flows with BytePerPacket less than or equal to the minimum 20 octets (bytes) Bad Src-Dst
Non Unicast Source Flows Src IP is either Multicast or Broadcast or Network IP i.e., not Unicast Bad Src-Dst
 
TCP Syn Violations TCP Flows with TCP Flags value equals 2/Syn touching or exceeding the Upper Limit and none of the following derived problems gets satisfied Suspect Flows

TCP Syn Attack

TCP Syn Flows from multiple source hosts to fewer destination hosts exceeding Minimum Flux Rate and Minimum Convergence at the destination end.

DoS / Flash Crowd
TCP Syn Inflood TCP Syn Flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the destination end. DoS / Flash Crowd
TCP Syn Outflood

1. TCP Syn Flows from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end.

 

2. TCP Syn Flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the source end.

DoS / Flash Crowd
TCP Syn Port Scan

1. TCP Syn Flows from single/multiple source hosts to single destination host on multiple destination ports exceeding Minimum Vertical Span at the destination end.

 

2. TCP Syn Flows from single/multiple source hosts to fewer destination hosts on multiple destination ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end.

Scans / Probes
TCP Syn Host Scan

1. TCP Syn Flows from single/multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end.

 

2. TCP Syn Flows from single/multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end.

Scans / Probes
TCP Syn Diagonal Scan TCP Syn Flows from single/multiple source hosts to multiple destination hosts where the number of distinct destination hosts is equal to the number of distinct destination ports which is also equal to the number of destination end points exceeding Minimum Diagonal Span at the destination end (hosts = ports = endpoints) Scans / Probes
TCP Syn Grid Scan TCP Syn Flows from single/multiple source hosts to multiple destination hosts on multiple destination ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the destination end. Scans / Probes
TCP Syn Port Scan(Reverse)

1. TCP Syn Flows from single source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span at the source end.

 

2. TCP Syn Flows from fewer source hosts to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the source end.

Scans / Probes
TCP Syn Host Scan(Reverse)

1. TCP Syn Flows from multiple source hosts to single/multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end.

 

2. TCP Syn Flows from multiple source hosts to single/multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the source end.

Scans / Probes

TCP Syn Diagonal Scan(Reverse)

TCP Syn Flows from multiple source hosts to single/multiple destination hosts where the number of distinct source hosts is equal to the number of distinct source ports which is also equal to the number of source end points exceeding Minimum Diagonal Span at the source end (hosts = ports = endpoints).

Scans / Probes

TCP Syn Grid Scan(Reverse)

TCP Syn Flows from single/multiple source hosts to multiple destination hosts on multiple destination ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the destination end.

Scans / Probes

     
Excess Short TCP Syn_Ack Packets TCP Flows with nominal payload ie., BytePerPacket between 40 and 44 octets (bytes) and TCP Flags value equals 18/SA touching or exceeding the Upper Limit and none of the following derived problems gets satisfied Suspect Flows
Short TCP Syn_Ack Inflood

1.Short TCP Syn_Ack Flows from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end.

 

2. Short TCP Syn_Ack Flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the destination end.

DoS / Flash Crowd
Short TCP Syn_Ack Outflood

1. Short TCP Syn_Ack Flows from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end.

 

2. Short TCP Syn_Ack Flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the source end.

DoS / Flash Crowd
Short TCP Syn_Ack Port Scan 1. Short TCP Syn_Ack Flows from single/multiple source hosts to single destination host on multiple destination ports exceeding Minimum Vertical Span at the destination end.

 

2. Short TCP Syn_Ack Flows from single/multiple source hosts to fewer destination hosts on multiple destination ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end.
Scans / Probes
Short TCP Syn_Ack Host Scan 1. Short TCP Syn_Ack Flows from single/multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end.

 

2. Short TCP Syn_Ack Flows from single/multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end.

Scans / Probes

Short TCP Syn_Ack Diagonal Scan Short TCP Syn_Ack Flows from single/multiple source hosts to multiple destination hosts where the number of distinct destination hosts is equal to the number of distinct destination ports which is also equal to the number of destination end points exceeding Minimum Diagonal Span at the destination end (hosts = ports = endpoints) Scans / Probes
Short TCP Syn_Ack Grid Scan Short TCP Syn_Ack from single/multiple source hosts to multiple destination hosts on multiple destination ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the destination end. Scans / Probes
Short TCP Syn_Ack Port Scan(Reverse)

1. Short TCP Syn_Ack Flows from single source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span at the source end.

 

2. Short TCP Syn_Ack Flows from fewer source hosts to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the source end.

Scans / Probes
Short TCP Syn_Ack Host Scan(Reverse)

1. Short TCP Syn_Ack Flows from multiple source hosts to single/multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end.

 

2. Short TCP Syn_Ack Flows from multiple source hosts to single/multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the source end.

Scans / Probes

Short TCP Syn_Ack Diagonal Scan(Reverse) Short TCP Syn_Ack Flows from multiple source hosts to single/multiple destination hosts where the number of distinct source hosts is equal to the number of distinct source ports which is also equal to the number of source end points exceeding Minimum Diagonal Span at the source end (hosts = ports = endpoints). Scans / Probes
Short TCP Syn_Ack Grid Scan(Reverse) Short TCP Syn_Ack Flows from multiple source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the source end. Scans / Probes
     
Excess Empty TCP Packets TCP Flows without any payload ie., BytePerPacket exactly 40 octets (bytes) with TCP FLAGS value IN (25–27, 29–31) touching or exceeding the Upper Limit and none of the following derived problems gets satisfied Suspect Flows
Empty TCP Attack Empty TCP flows from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end. DoS / Flash Crowd
Empty TCP Inflood Empty TCP flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the destination end. DoS / Flash Crowd
Empty TCP Outflood

1. Empty TCP Flows without any payload i.e., BytePerPacket exactly 40 octets (bytes) from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end.

 

2. Empty TCP flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the source end.

DoS / Flash Crowd
Empty TCP Port Scan

1. Empty TCP flows from single/multiple source hosts to single destination host on multiple destination ports exceeding Minimum Vertical Span at the destination end.

 

2. Empty TCP flows from single/multiple source hosts to fewer destination hosts on multiple destination ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end.

Scans / Probes
Empty TCP Host Scan

1. Empty TCP flows from single/multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end.

 

2. Empty TCP flows from single/multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end.

Scans / Probes
Empty TCP Diagonal Scan Empty TCP flows from single/multiple source hosts to multiple destination hosts where the number of distinct destination hosts is equal to the number of distinct destination ports which is also equal to the number of destination end points exceeding Minimum Diagonal Span at the destination end (hosts = ports = endpoints) Scans / Probes
Empty TCP Grid Scan Empty TCP flows from single/multiple source hosts to multiple destination hosts on multiple destination ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the destination end Scans / Probes
Empty TCP Port Scan(Reverse)

1. Empty TCP flows from single source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span at the source end.

 

2. Empty TCP flows from fewer source hosts to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the source end.

Scans / Probes
Empty TCP Host Scan(Reverse)

1. Empty TCP flows from multiple source hosts to single/multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end.

 

2. Empty TCP flows from multiple source hosts to single/multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the source end.

Scans / Probes
Empty TCP Diagonal Scan(Reverse) Empty TCP flows from multiple source hosts to single/multiple destination hosts where the number of distinct source hosts is equal to the number of distinct source ports which is also equal to the number of source end points exceeding Minimum Diagonal Span at the source end (hosts = ports = endpoints). Scans / Probes
Empty TCP Grid Scan(Reverse) Empty TCP flows from multiple source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the source end. Scans / Probes
     
Excess Short TCP Ack Packets TCP Flows with nominal payload ie., BytePerPacket between 40 and 44 octets (bytes) and TCP Flags value equals 16/A, denoting TCP Ack, touching or exceeding the Upper Limit and none of the following derived problems gets satisfied Suspect Flows
Short TCP Ack Inflood

1.Short TCP Ack flows from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end.

 

2. Short TCP Ack flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the destination end.

DoS / Flash Crowd
Short TCP Ack Outflood

1. Short TCP Ack flows from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end.

 

2. Short TCP Ack flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the source end.

DoS / Flash Crowd
Short TCP Ack Port Scan

1. Short TCP Ack flows from single/multiple source hosts to single destination host on multiple destination ports exceeding Minimum Vertical Span at the destination end.

 

2. Short TCP Ack flows from single/multiple source hosts to fewer destination hosts on multiple destination ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end.

Scans / Probes
Short TCP Ack Host Scan

1. Short TCP Ack flows from single/multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end.

 

2. Short TCP Ack flows from single/multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end.

Scans / Probes
Short TCP Ack Diagonal Scan Short TCP Ack flows from single/multiple source hosts to multiple destination hosts where the number of distinct destination hosts is equal to the number of distinct destination ports which is also equal to the number of destination end points exceeding Minimum Diagonal Span at the destination end (hosts = ports = endpoints) Scans / Probes
Short TCP Ack Grid Scan Short TCP Ack flowsfrom single/multiple source hosts to multiple destination hosts on multiple destination ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the destination end Scans / Probes
Short TCP Ack Port Scan(Reverse)

1. Short TCP Ack flows from single source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span at the source end.

 

2.Short TCP Ack flows from fewer source hosts to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the source end.

Scans / Probes
Short TCP Ack Host Scan(Reverse)

1. Short TCP Ack flows from multiple source hosts to single/multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end.

 

2. Short TCP Ack flows from multiple source hosts to single/multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the source end.

Scans / Probes
Short TCP Ack Diagonal Scan(Reverse) Short TCP Ack flows from multiple source hosts to single/multiple destination hosts where the number of distinct source hosts is equal to the number of distinct source ports which is also equal to the number of source end points exceeding Minimum Diagonal Span at the source end (hosts = ports = endpoints). Scans / Probes

Short TCP Ack Grid Scan(Reverse)

Short TCP Ack flows from multiple source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the source end. Scans / Probes
     
Excess Short TCP Fin_Ack Packets TCP Flows with nominal payload i.e., BytePerPacket between 40 and 44 octets (bytes) and TCP Flags value equals 17/FA touching or exceeding the Upper Limit and none of the following derived problems gets satisfied Suspect Flows
Short TCP Fin_Ack Inflood

1.Short TCP Fin_Ack flows from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end.

 

2.Short TCP Fin_Ack flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the destination end.

DoS / Flash Crowd
Short TCP Fin_Ack Outflood

1. Short TCP Fin_Ack flows from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end.

 

2. Short TCP Fin_Ack flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the source end.

DoS / Flash Crowd
Short TCP Fin_Ack Port Scan

1. Short TCP Fin_Ack flows from single/multiple source hosts to single destination host on multiple destination ports exceeding Minimum Vertical Span at the destination end.

 

2. Short TCP Fin_Ack flows from single/multiple source hosts to fewer destination hosts on multiple destination ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end.

Scans / Probes
Short TCP Fin_Ack Host Scan

1. Short TCP Fin_Ack flows from single/multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end.

 

2. Short TCP Fin_Ack flows from single/multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end.

Scans / Probes
Short TCP Fin_Ack Diagonal Scan Short TCP Fin_Ack flows from single/multiple source hosts to multiple destination hosts where the number of distinct destination hosts is equal to the number of distinct destination ports which is also equal to the number of destination end points exceeding Minimum Diagonal Span at the destination end (hosts = ports = endpoints) Scans / Probes
Short TCP Fin_Ack Grid Scan Short TCP Fin_Ack flowsfrom single/multiple source hosts to multiple destination hosts on multiple destination ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the destination end Scans / Probes
Short TCP Fin_Ack Port Scan(Reverse)

1. Short TCP Fin_Ack flows from single source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span at the source end.

 

2. Short TCP Fin_Ack flows from fewer source hosts to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the source end.

Scans / Probes
Short TCP Fin_Ack Host Scan(Reverse)

1.Short TCP Fin_Ack flows from multiple source hosts to single/multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end.

 

2.Short TCP Fin_Ack flows from multiple source hosts to single/multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the source end.

Scans / Probes
Short TCP Fin_Ack Diagonal Scan(Reverse) Short TCP Fin_Ack flows from multiple source hosts to single/multiple destination hosts where the number of distinct source hosts is equal to the number of distinct source ports which is also equal to the number of source end points exceeding Minimum Diagonal Span at the source end (hosts = ports = endpoints). Scans / Probes
Short TCP Fin_Ack Grid Scan(Reverse) Short TCP Fin_Ack flows from multiple source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the source end. Scans / Probes
     
Excess Short TCP Handshake Packets TCP Flows with nominal payload i.e., BytePerPacket between 40 and 44 octets (bytes) and TCP Flags value IN (19/ASF, 22/ARS, 23/ARSF), denoting opened & closed TCP Sessions, touching or exceeding the Upper Limit and none of the following derived problems gets satisfied Suspect Flows
Short TCP Handshake Attack Short TCP Handshake flows from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end . DoS / Flash Crowd
Short TCP Handshake Inflood Short TCP Handshake flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the destination end. DoS / Flash Crowd
Short TCP Handshake Outflood

1. Short TCP Handshake flows from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end.

 

2. Short TCP Handshake flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the source end.

DoS / Flash Crowd
Short TCP Handshake Port Scan

1. Short TCP Handshake flows from single/multiple source hosts to single destination host on multiple destination ports exceeding Minimum Vertical Span at the destination end.

 

2. Short TCP Handshake flows from single/multiple source hosts to fewer destination hosts on multiple destination ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end.

Scans / Probes
Short TCP Handshake Host Scan

1. Short TCP Handshake flows from single/multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end.

 

2. Short TCP Handshake flows from single/multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end.

Scans / Probes
Short TCP Handshake Diagonal Scan Short TCP Handshake flows from single/multiple source hosts to multiple destination hosts where the number of distinct destination hosts is equal to the number of distinct destination ports which is also equal to the number of destination end points exceeding Minimum Diagonal Span at the destination end (hosts = ports = endpoints) Scans / Probes
Short TCP Handshake Grid Scan Short TCP Handshake flowsfrom single/multiple source hosts to multiple destination hosts on multiple destination ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the destination end Scans / Probes
Short TCP Handshake Port Scan(Reverse)

1. Short TCP Handshake flows from single source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span at the source end.

 

2. Short TCP Handshake flows from fewer source hosts to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the source end.

Scans / Probes
Short TCP Handshake Host Scan(Reverse)

1.Short TCP Handshake flows from multiple source hosts to single/multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end.

 

2. Short TCP Handshake flows from multiple source hosts to single/multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the source end.

Scans / Probes
Short TCP Handshake Diagonal Scan(Reverse) Short TCP Handshake flows from multiple source hosts to single/multiple destination hosts where the number of distinct source hosts is equal to the number of distinct source ports which is also equal to the number of source end points exceeding Minimum Diagonal Span at the source end (hosts = ports = endpoints). Scans / Probes
Short TCP Handshake Grid Scan(Reverse) Short TCP Handshake flows from multiple source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the source end. Scans / Probes
 
Excess Short TCP Psh_Ack_No-Syn_Fin Packets TCP Flows with nominal payload ie., BytePerPacket between 40 and 44 octets (bytes) and TCP Flags value IN (24/PA, 28/APR), denoting TCP Psh_Ack but without Syn/Fin, touching or exceeding the Upper Limit and none of the following derived problems gets satisfied Suspect Flows
Short TCP Psh_Ack Attack Short TCP Psh_Ack flowsfrom multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end . DoS / Flash Crowd
Short TCP Psh_Ack Inflood Short TCP Psh_Ack flows, from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the destination end. DoS / Flash Crowd
Short TCP Psh_Ack Outflood

1.Short TCP Psh_Ack flows from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end.

 

2. Short TCP Psh_Ack flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the source end.

DoS / Flash Crowd
Short TCP Psh_Ack Port Scan

1. Short TCP Psh_Ack flows from single/multiple source hosts to single destination host on multiple destination ports exceeding Minimum Vertical Span at the destination end.

 

2. Short TCP Psh_Ack flows from single/multiple source hosts to fewer destination hosts on multiple destination ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end.

Scans / Probes
Short TCP Psh_Ack Host Scan

1. Short TCP Psh_Ack flowsfrom single/multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end.

 

2. Short TCP Psh_Ack flows from single/multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end.

Scans / Probes
Short TCP Psh_Ack Diagonal Scan Short TCP Psh_Ack flows from single/multiple source hosts to multiple destination hosts where the number of distinct destination hosts is equal to the number of distinct destination ports which is also equal to the number of destination end points exceeding Minimum Diagonal Span at the destination end (hosts = ports = endpoints) Scans / Probes
Short TCP Psh_Ack Grid Scan Short TCP Psh_Ack flowsfrom single/multiple source hosts to multiple destination hosts on multiple destination ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the destination end Scans / Probes
Short TCP Psh_Ack Port Scan(Reverse)

1.Short TCP Psh_Ack flows from single source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span at the source end.

 

2. Short TCP Psh_Ack flows, from fewer source hosts to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the source end.

Scans / Probes
Short TCP Psh_Ack Host Scan(Reverse)

1. Short TCP Psh_Ack flows ,from multiple source hosts to single/multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end.

 

2. Short TCP Psh_Ack flows , from multiple source hosts to single/multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the source end.

Scans / Probes
Short TCP Psh_Ack Diagonal Scan(Reverse) Short TCP Psh_Ack flows from multiple source hosts to single/multiple destination hosts where the number of distinct source hosts is equal to the number of distinct source ports which is also equal to the number of source end points exceeding Minimum Diagonal Span at the source end (hosts = ports = endpoints). Scans / Probes
Short TCP Psh_Ack Grid Scan(Reverse) Short TCP Psh_Ack flows from multiple source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the source end. Scans / Probes
     

Excess Short TCP Psh_No-Ack Packets

TCP Flows with nominal payload ie., BytePerPacket between 40 and 44 octets (bytes) and TCP Flags value IN (8/P, 42/UPS, 43/UPSF, 44/UPR, 45/UPRF, 46/UPRS, 47/UPRSF), denoting TCP Psh but without Ack, touching or exceeding the Upper Limit and none of the following derived problems gets satisfied Suspect Flows
Short TCP Psh Attack Short TCP Psh flows, from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end . DoS / Flash Crowd
Short TCP Psh Inflood Short TCP Psh flows, from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the destination end. DoS / Flash Crowd
Short TCP Psh Outflood

1. Short TCP Psh flows, from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end.

 

2. Short TCP Psh flows, from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the source end.

DoS / Flash Crowd
Short TCP Psh Port Scan

1. Short TCP Psh flows, from single/multiple source hosts to single destination host on multiple destination ports exceeding Minimum Vertical Span at the destination end.

 

2. Short TCP Psh flows, from single/multiple source hosts to fewer destination hosts on multiple destination ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end.

Scans / Probes
Short TCP Psh Host Scan

1. Short TCP Psh flows, from single/multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end.

 

2. Short TCP Psh flows, from single/multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end.

Scans / Probes
Short TCP Psh Diagonal Scan Short TCP Psh flows,from single/multiple source hosts to multiple destination hosts where the number of distinct destination hosts is equal to the number of distinct destination ports which is also equal to the number of destination end points exceeding Minimum Diagonal Span at the destination end (hosts = ports = endpoints) Scans / Probes
Short TCP Psh Grid Scan Short TCP Psh flows,from single/multiple source hosts to multiple destination hosts on multiple destination ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the source end Scans / Probes
Short TCP Psh Port Scan(Reverse)

1. Short TCP Psh flows,from single source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span at the source end.

 

2. Short TCP Psh flows, from fewer source hosts to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the source end.

Scans / Probes
Short TCP Psh Host Scan(Reverse)

1. Short TCP Psh flows, from multiple source hosts to single/multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end.

 

2. Short TCP Psh flows, from multiple source hosts to single/multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the source end.

Scans / Probes
Short TCP Psh Diagonal Scan(Reverse) Short TCP Psh flows, from multiple source hosts to single/multiple destination hosts where the number of distinct source hosts is equal to the number of distinct source ports which is also equal to the number of source end points exceeding Minimum Diagonal Span at the source end (hosts = ports = endpoints). Scans / Probes
Short TCP Psh Grid Scan(Reverse) Short TCP Psh flows, from multiple source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the source end. Scans / Probes
     
Excess Short TCP Rst_Ack Packets TCP Flows with nominal payload ie., BytePerPacket between 40 and 44 octets (bytes) and TCP Flags value IN (20/AR, 21/ARF), denoting TCP Rst_Ack Flows, touching or exceeding the Upper Limit and none of the following derived problems gets satisfied Suspect Flows
Short TCP Rst_Ack Inflood

1.Short TCP Rst_Ack flows from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end.

 

2.Short TCP Rst_Ack flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the destination end.

DoS / Flash Crowd
Short TCP Rst_Ack Outflood

1. Short TCP Rst_Ack flows, from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end.

 

2. Short TCP Rst_Ack flows, from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the source end.

DoS / Flash Crowd
Short TCP Rst_Ack Port Scan

1. Short TCP Rst_Ack flows, from single/multiple source hosts to single destination host on multiple destination ports exceeding Minimum Vertical Span at the destination end.

 

2. Short TCP Rst_Ack flows, from single/multiple source hosts to fewer destination hosts on multiple destination ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end.

Scans / Probes
Short TCP Rst_Ack Host Scan

1. Short TCP Rst_Ack flows, from single/multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end.

 

2. Short TCP Rst_Ack flows, from single/multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end.

Scans / Probes
Short TCP Rst_Ack Diagonal Scan Short TCP Rst_Ack flows, from single/multiple source hosts to multiple destination hosts where the number of distinct destination hosts is equal to the number of distinct destination ports which is also equal to the number of destination end points exceeding Minimum Diagonal Span at the destination end (hosts = ports = endpoints) Scans / Probes
Short TCP Rst_Ack Grid Scan Short TCP Rst_Ack flows,from single/multiple source hosts to multiple destination hosts on multiple destination ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the destination end Scans / Probes
Short TCP Rst_Ack Port Scan(Reverse)

1. Short TCP Rst_Ack flows, from single source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span at the source end.

 

2. Short TCP Rst_Ack flows, from fewer source hosts to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the source end.

Scans / Probes
Short TCP Rst_Ack Host Scan(Reverse)

1. Short TCP Rst_Ack flows, from multiple source hosts to single/multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end.

 

2. Short TCP Rst_Ack flows, from multiple source hosts to single/multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the source end.

Scans / Probes
Short TCP Rst_Ack Diagonal Scan(Reverse) Short TCP Rst_Ack flows, from multiple source hosts to single/multiple destination hosts where the number of distinct source hosts is equal to the number of distinct source ports which is also equal to the number of source end points exceeding Minimum Diagonal Span at the source end (hosts = ports = endpoints). Scans / Probes
Short TCP Rst_Ack Grid Scan(Reverse) Short TCP Rst_Ack flows, from multiple source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the source end. Scans / Probes
     
Excess Short TCP Syn_Ack Packets TCP Flows with nominal payload ie., BytePerPacket between 40 and 44 octets (bytes) and TCP Flags value equals 18/SA touching or exceeding the Upper Limit and none of the following derived problems gets satisfied DoS / Flash Crowd
Short TCP Syn_Ack Inflood

1.Short TCP Syn_Ack flows from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end.

 

2.Short TCP Syn_Ack flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the destination end.

DoS / Flash Crowd
Short TCP Syn_Ack Outflood

1. Short TCP Syn_Ack flows from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end.

 

2. Short TCP Syn_Ack flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the source end.

DoS / Flash Crowd
Short TCP Syn_Ack Port Scan

1. Short TCP Syn_Ack flows from single/multiple source hosts to single destination host on multiple destination ports exceeding Minimum Vertical Span at the destination end.

 

2. Short TCP Syn_Ack flows from single/multiple source hosts to fewer destination hosts on multiple destination ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end.

Scans / Probes
Short TCP Syn_Ack Host Scan

1. Short TCP Syn_Ack flows from single/multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end.

 

2. Short TCP Syn_Ack flows from single/multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end.

Scans / Probes
Short TCP Syn_Ack Diagonal Scan Short TCP Syn_Ack flows from single/multiple source hosts to multiple destination hosts where the number of distinct destination hosts is equal to the number of distinct destination ports which is also equal to the number of destination end points exceeding Minimum Diagonal Span at the destination end (hosts = ports = endpoints) Scans / Probes
Short TCP Syn_Ack Grid Scan Short TCP Syn_Ack flowsfrom single/multiple source hosts to multiple destination hosts on multiple destination ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the destination end Scans / Probes
Short TCP Syn_Ack Port Scan(Reverse)

1. Short TCP Syn_Ack flows from single source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span at the source end.

 

2. Short TCP Syn_Ack flows from fewer source hosts to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the source end.

Scans / Probes
Short TCP Syn_Ack Host Scan(Reverse)

1. Short TCP Syn_Ack flows from multiple source hosts to single/multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end.

 

2. Short TCP Syn_Ack flows from multiple source hosts to single/multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the source end.

Scans / Probes
Short TCP Syn_Ack Diagonal Scan(Reverse) Short TCP Syn_Ack flows from multiple source hosts to single/multiple destination hosts where the number of distinct source hosts is equal to the number of distinct source ports which is also equal to the number of source end points exceeding Minimum Diagonal Span at the source end (hosts = ports = endpoints). Scans / Probes
Short TCP Syn_Ack Grid Scan(Reverse) Short TCP Syn_Ack flows from multiple source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the source end. Scans / Probes
     
Excess Short TCP Syn_Rst Packets TCP Flows with nominal payload ie., BytePerPacket between 40 and 44 octets (bytes) and TCP Flags value equals 6/RS, denoting TCP Syn_Rst Flows, but without Urg/Ack/Psh Flags, touching or exceeding the Upper Limit and none of the following derived problems gets satisfied Suspect Flows
Short TCP Syn_Rst Attack Short TCP Syn_Rst flows from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end. DoS / Flash Crowd
Short TCP Syn_Rst Inflood Short TCP Syn_Rst flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the destination end. DoS / Flash Crowd
Short TCP Syn_Rst Outflood

1. Short TCP Syn_Rst flows from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end.

 

2. Short TCP Syn_Rst flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the source end.

DoS / Flash Crowd
Short TCP Syn_Rst Port Scan

1. Short TCP Syn_Rst flows from single/multiple source hosts to single destination host on multiple destination ports exceeding Minimum Vertical Span at the destination end.

 

2. Short TCP Syn_Rst flows from single/multiple source hosts to fewer destination hosts on multiple destination ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end.

Scans / Probes
Short TCP Syn_Rst Host Scan

1. Short TCP Syn_Rst flows from single/multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end.

 

2. Short TCP Syn_Rst flows from single/multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end.

Scans / Probes
Short TCP Syn_Rst Diagonal Scan Short TCP Syn_Rst flows from single/multiple source hosts to multiple destination hosts where the number of distinct destination hosts is equal to the number of distinct destination ports which is also equal to the number of destination end points exceeding Minimum Diagonal Span at the destination end (hosts = ports = endpoints) Scans / Probes
Short TCP Syn_Rst Grid Scan Short TCP Syn_Rst flowsfrom single/multiple source hosts to multiple destination hosts on multiple destination ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the destination end Scans / Probes
Short TCP Syn_Rst Port Scan(Reverse)

1. Short TCP Syn_Rst flows from single source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span at the source end.

 

2. Short TCP Syn_Rst flows from fewer source hosts to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the source end.

Scans / Probes
Short TCP Syn_Rst Host Scan(Reverse)

1. Short TCP Syn_Rst flows from multiple source hosts to single/multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end.

 

2. Short TCP Syn_Rst flowsFlows from multiple source hosts to single/multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the source end.

Scans / Probes
Short TCP Syn_Rst Diagonal Scan(Reverse) Short TCP Syn_Rst flows from multiple source hosts to single/multiple destination hosts where the number of distinct source hosts is equal to the number of distinct source ports which is also equal to the number of source end points exceeding Minimum Diagonal Span at the source end (hosts = ports = endpoints). Scans / Probes
Short TCP Syn_Rst Grid Scan(Reverse) Short TCP Syn_Rst flows from multiple source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the source end. Scans / Probes
     
TCP Fin Violations TCP Flows with TCP Flags value IN (1/F, 5/RF) touching or exceeding the Upper Limit and none of the following derived problems gets satisfied Suspect Flows
TCP Fin Attack TCP Fin flows from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end . DoS / Flash Crowd
TCP Fin Inflood TCP Fin flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the destination end. DoS / Flash Crowd
TCP Fin Outflood

1. TCP Fin flows from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end.

 

2. TCP Fin flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the source end.

DoS / Flash Crowd
TCP Fin Port Scan

1. TCP Fin flows from single/multiple source hosts to single destination host on multiple destination ports exceeding Minimum Vertical Span at the destination end.

 

2. TCP Fin flows from single/multiple source hosts to fewer destination hosts on multiple destination ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end.

Scans / Probes
TCP Fin Host Scan

1. TCP Fin flows from single/multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end.

 

2. TCP Fin flows from single/multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end.

Scans / Probes
TCP Fin Diagonal Scan TCP Fin flows from single/multiple source hosts to multiple destination hosts where the number of distinct destination hosts is equal to the number of distinct destination ports which is also equal to the number of destination end points exceeding Minimum Diagonal Span at the destination end (hosts = ports = endpoints) Scans / Probes
TCP Fin Grid Scan TCP Fin flowsfrom single/multiple source hosts to multiple destination hosts on multiple destination ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the destination end Scans / Probes
TCP Fin Port Scan(Reverse)

1. TCP Fin flows from single source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span at the source end.

 

2. TCP Fin flows from fewer source hosts to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the source end.

Scans / Probes
TCP Fin Host Scan(Reverse)

1. TCP Fin flows from multiple source hosts to single/multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end.

 

2. TCP Fin flows from multiple source hosts to single/multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the source end.

Scans / Probes
TCP Fin Diagonal Scan(Reverse) TCP Fin flows from multiple source hosts to single/multiple destination hosts where the number of distinct source hosts is equal to the number of distinct source ports which is also equal to the number of source end points exceeding Minimum Diagonal Span at the source end (hosts = ports = endpoints). Scans / Probes
TCP Fin Grid Scan(Reverse) TCP Fin flows from multiple source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the source end. Scans / Probes
     
TCP Null Violations TCP Flows with TCP Flags value equals 0/Null touching or exceeding the Upper Limit and none of the following derived problems gets satisfied Suspect Flows
TCP Null Attack TCP Null flows from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end . DoS / Flash Crowd
TCP Null Inflood TCP Null flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the destination end. DoS / Flash Crowd
TCP Null Outflood

1. TCP Null flows from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end.

 

2. TCP Null flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the source end.

DoS / Flash Crowd
TCP Null Port Scan

1. TCP Null flows from single/multiple source hosts to single destination host on multiple destination ports exceeding Minimum Vertical Span at the destination end.

 

2. TCP Null flows from single/multiple source hosts to fewer destination hosts on multiple destination ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end.

Scans / Probes
TCP Null Host Scan

1. TCP Null flows from single/multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end.

 

2. TCP Null flows from single/multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end.

Scans / Probes
TCP Null Diagonal Scan TCP Null flows from single/multiple source hosts to multiple destination hosts where the number of distinct destination hosts is equal to the number of distinct destination ports which is also equal to the number of destination end points exceeding Minimum Diagonal Span at the destination end (hosts = ports = endpoints) Scans / Probes
TCP Null Grid Scan TCP Null flowsfrom single/multiple source hosts to multiple destination hosts on multiple destination ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the destination end Scans / Probes
TCP Null Port Scan(Reverse)

1. TCP Null flows from single source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span at the source end.

 

2. TCP Null flows from fewer source hosts to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the source end.

Scans / Probes
TCP Null Host Scan(Reverse)

1. TCP Null flows from multiple source hosts to single/multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end.

 

2. TCP Null flows from multiple source hosts to single/multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the source end.

Scans / Probes
TCP Null Diagonal Scan(Reverse) TCP Null flows from multiple source hosts to single/multiple destination hosts where the number of distinct source hosts is equal to the number of distinct source ports which is also equal to the number of source end points exceeding Minimum Diagonal Span at the source end (hosts = ports = endpoints). Scans / Probes
TCP Null Grid Scan(Reverse) TCP Null flows from multiple source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the source end. Scans / Probes
     
TCP Rst Violations TCP Flows with TCP Flags value equals 4/R touching or exceeding the Upper Limit and none of the following derived problems gets satisfied Suspect Flows
TCP Rst Attack TCP Rst Flows from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end . DoS / Flash Crowd
TCP Rst Inflood TCP Rst Flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the destination end. DoS / Flash Crowd
TCP Rst Outflood

1. TCP Rst Flows from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end.

 

2. TCP Rst Flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the source end.

DoS / Flash Crowd
TCP Rst Port Scan

1. TCP Rst Flows from single/multiple source hosts to single destination host on multiple destination ports exceeding Minimum Vertical Span at the destination end.

 

2. TCP Rst Flows from single/multiple source hosts to fewer destination hosts on multiple destination ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end.

Scans / Probes
TCP Rst Host Scan

1. TCP Rst Flows single/multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end.

 

2. TCP Rst Flows from single/multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end.

Scans / Probes
TCP Rst Diagonal Scan TCP Rst Flows from single/multiple source hosts to multiple destination hosts where the number of distinct destination hosts is equal to the number of distinct destination ports which is also equal to the number of destination end points exceeding Minimum Diagonal Span at the destination end (hosts = ports = endpoints) Scans / Probes
TCP Rst Grid Scan TCP Rst Flowsfrom single/multiple source hosts to multiple destination hosts on multiple destination ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the destination end Scans / Probes
TCP Rst Port Scan(Reverse)

1. TCP Rst Flows from single source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span at the source end.

 

2. TCP Rst Flows from fewer source hosts to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the source end.

Scans / Probes
TCP Rst Host Scan(Reverse)

1. TCP Rst Flows from multiple source hosts to single/multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end.

 

2. TCP Rst Flows from multiple source hosts to single/multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the source end.

Scans / Probes
TCP Rst Diagonal Scan(Reverse) TCP Rst Flows from multiple source hosts to single/multiple destination hosts where the number of distinct source hosts is equal to the number of distinct source ports which is also equal to the number of source end points exceeding Minimum Diagonal Span at the source end (hosts = ports = endpoints). Scans / Probes
TCP Rst Grid Scan(Reverse) TCP Rst Flows from multiple source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the source end. Scans / Probes
     
TCP Syn_Fin Violations TCP Flows with TCP Flags value IN (3/SF, 7/RSF), denoting TCP Syn_Fin –or– Syn_Rst_Fin Flows, but without Urg/Ack/Psh Flags touching or exceeding the Upper Limit and none of the following derived problems gets satisfied Suspect Flows
TCP Syn_Fin Attack TCP Syn_Fin Flows from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end . DoS / Flash Crowd
TCP Syn_Fin Inflood TCP Syn_Fin Flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the destination end. DoS / Flash Crowd
TCP Syn_Fin Outflood

1.TCP Syn_Fin Flows from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end.

 

2. TCP Syn_Fin Flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the source end.

DoS / Flash Crowd
TCP Syn_Fin Port Scan

1.TCP Syn_Fin Flows from single/multiple source hosts to single destination host on multiple destination ports exceeding Minimum Vertical Span at the destination end.

 

2. TCP Syn_Fin Flows from single/multiple source hosts to fewer destination hosts on multiple destination ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end.

Scans / Probes
TCP Syn_Fin Host Scan

1. TCP Syn_Fin Flows from single/multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end.

 

2. TCP Syn_Fin Flows from single/multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end.

Scans / Probes
TCP Syn_Fin Diagonal Scan TCP Syn_Fin Flows from single/multiple source hosts to multiple destination hosts where the number of distinct destination hosts is equal to the number of distinct destination ports which is also equal to the number of destination end points exceeding Minimum Diagonal Span at the destination end (hosts = ports = endpoints) Scans / Probes
TCP Syn_Fin Grid Scan TCP Syn_Fin Flowsfrom single/multiple source hosts to multiple destination hosts on multiple destination ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the destination end Scans / Probes
TCP Syn_Fin Port Scan(Reverse)

1. TCP Syn_Fin Flows from single source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span at the source end.

 

2. TCP Syn_Fin Flows from fewer source hosts to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the source end.

Scans / Probes
TCP Syn_Fin Host Scan(Reverse)

1. TCP Syn_Fin Flows from multiple source hosts to single/multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end.

 

2. TCP Syn_Fin Flows. from multiple source hosts to single/multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the source end.

Scans / Probes
TCP Syn_Fin Diagonal Scan(Reverse) TCP Syn_Fin Flows from multiple source hosts to single/multiple destination hosts where the number of distinct source hosts is equal to the number of distinct source ports which is also equal to the number of source end points exceeding Minimum Diagonal Span at the source end (hosts = ports = endpoints). Scans / Probes
TCP Syn_Fin Grid Scan(Reverse) TCP Syn_Fin Flows. from multiple source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the source end. Scans / Probes
     
TCP Urg Violations TCP Flows with TCP Flags value IN (32-40, 42-63), denoting all combinations of Urg Flag except the XMAS combination touching or exceeding the Upper Limit and none of the following derived problems gets satisfied Suspect Flows
TCP Urg Attack TCP Urg Flows from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end . DoS / Flash Crowd
TCP Urg Inflood TCP Urg Flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the destination end. DoS / Flash Crowd
TCP Urg Outflood

1. TCP Urg Flows from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end.

 

2. TCP Urg Flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the source end.

DoS / Flash Crowd
TCP Urg Port Scan

1. TCP Urg Flows from single/multiple source hosts to single destination host on multiple destination ports exceeding Minimum Vertical Span at the destination end.

 

2. TCP Urg Flows from single/multiple source hosts to fewer destination hosts on multiple destination ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end.

Scans / Probes
TCP Urg Host Scan

1. TCP Urg Flows from single/multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end.

 

2. TCP Urg Flows from single/multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end.

Scans / Probes
TCP Urg Diagonal Scan TCP Urg Flows from single/multiple source hosts to multiple destination hosts where the number of distinct destination hosts is equal to the number of distinct destination ports which is also equal to the number of destination end points exceeding Minimum Diagonal Span at the destination end (hosts = ports = endpoints) Scans / Probes
TCP Urg Grid Scan TCP Urg Flowsfrom single/multiple source hosts to multiple destination hosts on multiple destination ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the destination end Scans / Probes
TCP Urg Port Scan(Reverse)

1. TCP Urg Flows from single source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span at the source end.

 

2.TCP Urg Flows from fewer source hosts to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the source end.

Scans / Probes
TCP Urg Host Scan(Reverse)

1. TCP Urg Flows from multiple source hosts to single/multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end.

 

2. TCP Urg Flows from multiple source hosts to single/multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the source end.

Scans / Probes
TCP Urg Diagonal Scan(Reverse) TCP Urg Flows from multiple source hosts to single/multiple destination hosts where the number of distinct source hosts is equal to the number of distinct source ports which is also equal to the number of source end points exceeding Minimum Diagonal Span at the source end (hosts = ports = endpoints). Scans / Probes
TCP Urg Grid Scan(Reverse) TCP Urg Flows from multiple source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the source end. Scans / Probes
     
TCP Xmas Violations TCP Flows with TCP Flags value equals 41/UPF touching or exceeding the Upper Limit and none of the following derived problems gets satisfied Suspect Flows
TCP Xmas Inflood

1.TCP Xmas flows from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end.

 

2.TCP Xmas flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the destination end.

DoS / Flash Crowd
TCP Xmas Outflood

1. TCP Xmas Flows from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end.

 

2. TCP Xmas Flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the source end.

DoS / Flash Crowd
TCP Xmas Port Scan

1. TCP Xmas Flows from single/multiple source hosts to single destination host on multiple destination ports exceeding Minimum Vertical Span at the destination end.

 

2. TCP Xmas Flows from single/multiple source hosts to fewer destination hosts on multiple destination ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end.

Scans / Probes
TCP Xmas Host Scan

1. TCP Xmas Flows from single/multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end.

2.TCP Xmas Flows from single/multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end.

Scans / Probes
TCP Xmas Diagonal Scan TCP Xmas Flows from single/multiple source hosts to multiple destination hosts where the number of distinct destination hosts is equal to the number of distinct destination ports which is also equal to the number of destination end points exceeding Minimum Diagonal Span at the destination end (hosts = ports = endpoints) Scans / Probes
TCP Xmas Grid Scan TCP Xmas Flowsfrom single/multiple source hosts to multiple destination hosts on multiple destination ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the destination end Scans / Probes
TCP Xmas Port Scan(Reverse)

1. TCP Xmas Flows from single source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span at the source end.

 

2. TCP Xmas Flows from fewer source hosts to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the source end.

Scans / Probes
TCP Xmas Host Scan(Reverse)

1. TCP Xmas Flows from multiple source hosts to single/multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end.

2. TCP Xmas Flows from multiple source hosts to single/multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the source end.

Scans / Probes
TCP Xmas Diagonal Scan(Reverse) TCP Xmas Flows from multiple source hosts to single/multiple destination hosts where the number of distinct source hosts is equal to the number of distinct source ports which is also equal to the number of source end points exceeding Minimum Diagonal Span at the source end (hosts = ports = endpoints). Scans / Probes
TCP Xmas Grid Scan(Reverse) TCP Xmas Flows from multiple source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the source end. Scans / Probes
     
Malformed TCP Packets TCP Flows with BytePerPacket less than the minimum 40 octets (bytes) touching or exceeding the Upper Limit and none of the following derived problems gets satisfied Suspect Flows
Malformed TCP Attack Malformed TCP flows from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end . DoS / Flash Crowd
Malformed TCP Inflood Malformed TCP flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the destination end. DoS / Flash Crowd
Malformed TCP Outflood

1. Malformed TCP flows from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end.

 

2. Malformed TCP flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the source end.

DoS / Flash Crowd
Malformed TCP Port Scan

1. Malformed TCP flows from single/multiple source hosts to single destination host on multiple destination ports exceeding Minimum Vertical Span at the destination end.

 

2. Malformed TCP flows from single/multiple source hosts to fewer destination hosts on multiple destination ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end.

Scans / Probes
Malformed TCP Host Scan

1. Malformed TCP flows from single/multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end.

 

2. Malformed TCP flows from single/multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end.

Scans / Probes
Malformed TCP Diagonal Scan Malformed TCP flows from single/multiple source hosts to multiple destination hosts where the number of distinct destination hosts is equal to the number of distinct destination ports which is also equal to the number of destination end points exceeding Minimum Diagonal Span at the destination end (hosts = ports = endpoints) Scans / Probes
Malformed TCP Grid Scan Malformed TCP flows from single/multiple source hosts to multiple destination hosts on multiple destination ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the destination end Scans / Probes
Malformed TCP Port Scan(Reverse)

1. Malformed TCP flows from single source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span at the source end.

 

2. Malformed TCP flows from fewer source hosts to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the source end.

Scans / Probes
Malformed TCP Host Scan(Reverse)

1. Malformed TCP flows from multiple source hosts to single/multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end.

 

2. Malformed TCP flows from multiple source hosts to single/multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the source end.

Scans / Probes
Malformed TCP Diagonal Scan(Reverse) Malformed TCP flows from multiple source hosts to single/multiple destination hosts where the number of distinct source hosts is equal to the number of distinct source ports which is also equal to the number of source end points exceeding Minimum Diagonal Span at the source end (hosts = ports = endpoints). Scans / Probes
Malformed TCP Grid Scan(Reverse) Malformed TCP flows from multiple source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the source end. Scans / Probes
     
ICMP Request Broadcasts ICMP Request Flows with Dst Port value IN (2048/Echo Request, 3328/Timestamp Request, 3840/Information Request, 4352/Address Mask Request) sent to a Broadcast/Multicast IP touching or exceeding the Upper Limit and none of the following derived problems gets satisfied. Indicates possible amplification attack on the Src IP. DoS / Flash Crowd
ICMP Request Broadcast Attack ICMP Request Broadcast flows from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end . DoS / Flash Crowd
ICMP Request Broadcast Inflood ICMP Request Broadcast flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the destination end. DoS / Flash Crowd
ICMP Request Broadcast Outflood

1. ICMP Request Broadcast flows from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end.

 

2. ICMP Request Broadcast flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the source end.

DoS / Flash Crowd
ICMP Request Broadcast Host Scan

1.ICMP Request Broadcast flows from single/multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end.

 

2.ICMP Request Broadcast flows from single/multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end.

Scans / Probes
ICMP Request Broadcast Host Scan(Reverse)

1.ICMP Request Broadcast flows from multiple source hosts to single/multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end.

 

2. ICMP Request Broadcast flows from multiple source hosts to single/multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the source end.

Scans / Probes
     
Excess ICMP Requests ICMP Requests with Dst Port value IN (2048/Echo Request, 3328/Timestamp Request, 3840/Information Request, 4352/Address Mask Request) touching or exceeding the Upper Limit and none of the following derived problems gets satisfied Suspect Flows
ICMP Request Inflood

1.ICMP Requests Flows from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end.

 

2. ICMP Requests Flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the destination end.

DoS / Flash Crowd
ICMP Request Outflood

1. ICMP Requests from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end.

 

2. ICMP Requests from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the source end.

DoS / Flash Crowd
ICMP Request Host Scan

1. ICMP Requests from single/multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end.

2. ICMP Requests from single/multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end.

Scans / Probes
ICMP Request Host Scan(Reverse)

1.ICMP Requests from multiple source hosts to single/multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end.

 

2.ICMP Requests from multiple source hosts to single/multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the source end.

Scans / Probes
     
Excess ICMP Responses ICMP Response Flows with Dst Port value IN (0/Echo Reply, 3584/Timestamp Reply, 4096/Information Reply, 4608/Address Mask Reply) touching or exceeding the Upper Limit and none of the following derived problems gets satisfied Suspect Flows
ICMP Response Inflood

1.ICMP Responses from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end.

 

2. ICMP Responses from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the destination end.

DoS / Flash Crowd
ICMP Response Outflood

1. ICMP Responses from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end.

 

2. ICMP Responses from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the source end.

DoS / Flash Crowd
ICMP Response Host Scan

1.ICMP Responses from single/multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end.

 

2. ICMP Responses from single/multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end.

Scans / Probes
ICMP Response Host Scan(Reverse)

1.ICMP Responses from multiple source hosts to single/multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end.

 

2.ICMP Responses from multiple source hosts to single/multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the source end.

Scans / Probes
     
ICMP Host Unreachables ICMP Host Unreachable Flows with Dst Port value IN (769/Host Unreachable, 773/Source Route Failed, 775/Host Unknown, 776/Source Host Isolated (obsolete), 778/Host Administratively Prohibited, 780/Host Unreachable for TOS, 781/Communication administratively prohibited by filtering) touching or exceeding the Upper Limit and none of the following derived problems gets satisfied Suspect Flows

ICMP Host Unreachable Inflood

 

1.ICMP Host Unreachable flows from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end.

 

2.ICMP Host Unreachable flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the destination end.

DoS / Flash Crowd
ICMP Host Unreachable Outflood

1. ICMP Host Unreachable flows from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end.

 

2. ICMP Host Unreachable flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the source end.

DoS / Flash Crowd
ICMP Host Unreachable Host Scan

1. ICMP Host Unreachable flows from single/multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end.

 

2. ICMP Host Unreachable flows from single/multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end.

Scans / Probes
ICMP Host Unreachable Host Scan(Reverse)

1. ICMP Host Unreachable flows from multiple source hosts to single/multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end.

 

2. ICMP Host Unreachable flows from multiple source hosts to single/multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the source end.

Scans / Probes
     
ICMP Network Unreachables ICMP Network Unreachable Flows with Dst Port value IN (768/Network Unreachable, 774/Network Unknown, 777/Network Administratively Prohibited, 779/Network Unreachable for TOS) touching or exceeding the Upper Limit and none of the following derived problems gets satisfied Suspect Flows
ICMP Network Unreachable Inflood

1.ICMP Network Unreachable flows from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end.

 

2.ICMP Network Unreachable flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the destination end.

 

DoS / Flash Crowd
ICMP Network Unreachable Outflood

1. ICMP Network Unreachable flows from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end.

 

2. ICMP Network Unreachable flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the source end.

DoS / Flash Crowd
ICMP Network Unreachable Host Scan

1. ICMP Network Unreachable flows from single/multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end.

 

2. ICMP Network Unreachable flows from single/multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end.

Scans / Probes
ICMP Network Unreachable Host Scan(Reverse)

1. ICMP Network Unreachable flows from multiple source hosts to single/multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end.

 

2. ICMP Network Unreachable flows from multiple source hosts to single/multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the source end.

Scans / Probes
    Bad Src-Dst
ICMP Parameter Problem Flows ICMP Parameter Problem Flows with Dst Port IN (3072/IP Header Bad, 3073/Required Option Missing, 3074/Bad Length) touching or exceeding the Upper Limit and none of the following derived problems gets satisfied. Generally indicates some local or remote implementation error ie., invalid datagrams. Suspect Flows
ICMP Parameter Problem Inflood

1.ICMP Parameter Problem flows from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end.

 

2.ICMP Parameter Problem flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the destination end.

DoS / Flash Crowd
ICMP Parameter Problem Outflood

1. ICMP Parameter Problem flows from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end.

 

2. ICMP Parameter Problem Flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the source end.

 

DoS / Flash Crowd
ICMP Parameter Problem Host Scan

1. ICMP Parameter Problem flows from single/multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end.

 

2. ICMP Parameter Problem flows from single/multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end.

Scans / Probes
ICMP Parameter Problem Host Scan(Reverse)

1. ICMP Parameter Problem Flows from multiple source hosts to single/multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end.

 

2. ICMP Parameter Problem flows from multiple source hosts to single/multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the source end.

Scans / Probes
     
ICMP Port Unreachables ICMP Port Unreachable Flows with Dst Port value equals 771/Port Unreachable touching or exceeding the Upper Limit and none of the following derived problems gets satisfied Suspect Flows
ICMP Port Unreachable Inflood

1.ICMP Port Unreachable flows from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end.

 

2.ICMP Port Unreachable flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the destination end.

DoS / Flash Crowd

 

ICMP Port Unreachable Outflood

1. ICMP Port Unreachable flows from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end.

 

2. ICMP Port Unreachable flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the source end.

 

DoS / Flash Crowd
ICMP Port Unreachable Host Scan

1. ICMP Port Unreachable flows from single/multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end.

 

2. ICMP Port Unreachable flows from single/multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end.

Scans / Probes
ICMP Port Unreachable Host Scan(Reverse)

1. ICMP Port Unreachable flows from multiple source hosts to single/multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end.

 

2. ICMP Port Unreachable flows from multiple source hosts to single/multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the source end.

Scans / Probes
     
ICMP Protocol Unreachables ICMP Protocol Unreachable Flows with Dst Port value equals (770/Protocol Unreachable) touching or exceeding the Upper Limit and none of the following derived problems gets satisfied . Can be used to perform a denial of service on active TCP sessions, causing the TCP connection to be dropped. DoS / Flash Crowd
ICMP Protocol Unreachable Inflood

1.ICMP Protocol Unreachable flows from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end.

 

2.ICMP Protocol Unreachable flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the destination end.

DoS / Flash Crowd
ICMP Protocol Unreachable Outflood

1. ICMP Protocol Unreachable flows from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end.

 

2.ICMP Protocol Unreachable flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the source end.

 

DoS / Flash Crowd
ICMP Protocol Unreachable Host Scan

1. ICMP Protocol Unreachable flows from single/multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end.

 

2. ICMP Protocol Unreachable flows from single/multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end.

Scans / Probes
ICMP Protocol Unreachable Host Scan(Reverse)

1. ICMP Protocol Unreachable flows from multiple source hosts to single/multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end.

 

2. ICMP Protocol Unreachable flows from multiple source hosts to single/multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the source end.

Scans / Probes
     
ICMP Redirects ICMP Redirect Flows with Dst Port value IN (1280/Redirect for Network, 1281/Redirect for Host, 1282/Redirect for ToS and Network, 1283/Redirect for ToS and Host) touching or exceeding the Upper Limit and none of the following derived problems gets satisfied Suspect Flows
ICMP Redirect Inflood

1.ICMP Redirect flows from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end.

 

2.ICMP Redirect flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the destination end.

DoS / Flash Crowd
ICMP Redirect Outflood

1. ICMP Redirect flows from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end.

 

2. ICMP Redirect flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the source end.

DoS / Flash Crowd
ICMP Redirect Host Scan

1. ICMP Redirect flows from single/multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end.

 

2. ICMP Redirect flows from single/multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end.

Scans / Probes
ICMP Redirect Host Scan(Reverse)

1. ICMP Redirect flows from multiple source hosts to single/multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end.

 

2. ICMP Redirect flows from multiple source hosts to single/multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the source end.

Scans / Probes
     
ICMP Source Quench Flows ICMP Source Quench Flows with Dst Port value equals (1024/Source Quench) touching or exceeding the Upper Limit and none of the following derived problems gets satisfied. Out dated. But can be used to attempt a denial of service by limiting the bandwidth of a router or host. DoS / Flash Crowd
ICMP Source Quench Inflood

1.ICMP Source Quench flows from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end.

 

2.ICMP Source Quench flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the destination end.

DoS / Flash Crowd
ICMP Source Quench Outflood

1. ICMP Source Quench flows from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end.

 

2. ICMP Source Quench flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the source end.

DoS / Flash Crowd
ICMP Source Quench Host Scan

1. ICMP Source Quench flows from single/multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end.

 

2.ICMP Source Quench flows from single/multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end.

Scans / Probes
ICMP Source Quench Host Scan(Reverse)

1. ICMP Source Quench flows from multiple source hosts to single/multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end.

 

2. ICMP Source Quench flows from multiple source hosts to single/multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the source end.

Scans / Probes
     
ICMP Time Exceeded Flows ICMP Time Exceeded Flows with Dst Port IN (2816/Time-to-live equals 0 During Transit, 2817/Time-to-live equals 0 During Reassembly) touching or exceeding the Upper Limit and none of the following derived problems gets satisfied . Indicates Traceroute attempt or datagram fragment reassembly failure Suspect Flows
ICMP Time Exceeded Inflood

1.ICMP Time Exceeded flows from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end.

 

2.ICMP Time Exceeded flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the destination end.

DoS / Flash Crowd
ICMP Time Exceeded Outflood

1. ICMP Time Exceeded flows from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end.

 

2. ICMP Time Exceeded Flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the source end.

DoS / Flash Crowd
ICMP Time Exceeded Host Scan

1. ICMP Time Exceeded flows from single/multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end.

 

2. ICMP Time Exceeded flows from single/multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end.

Scans / Probes
ICMP Time Exceeded Host Scan(Reverse)

1. ICMP Time Exceeded flows from multiple source hosts to single/multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end.

 

2. ICMP Time Exceeded flows from multiple source hosts to single/multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the source end.

Scans / Probes
     
ICMP Trace Route Flows ICMP Traceroute Flows with Dst Port equals 7680/Trace Route touching or exceeding the Upper Limit and none of the following derived problems gets satisfied. Indicates traceroute attempt. Suspect Flows
ICMP Trace Route Inflood

1.ICMP Trace Route flows from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end.

 

2.ICMP Trace Route flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the destination end.

DoS / Flash Crowd
ICMP Trace Route Outflood

1. ICMP Trace Route flows from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end.

 

2. ICMP Trace Route flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the source end.

DoS / Flash Crowd
ICMP Trace Route Host Scan

1. ICMP Trace Route flows from single/multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end.

 

2. ICMP Trace Route flows from single/multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end.

Scans / Probes
ICMP Trace Route Host Scan(Reverse)

1. ICMP Trace Route flows from multiple source hosts to single/multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end.

 

2. ICMP Trace Route flows from multiple source hosts to single/multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the source end.

Scans / Probes
     
ICMP Unreachables for ToS ICMP ToS Unreachable Flows with Dst Port value IN (779/Network Unreachable for TOS, 780/Host Unreachable for TOS) touching or exceeding the Upper Limit and none of the following derived problems gets satisfied Suspect Flows
ICMP ToS Unreachable Inflood

1.ICMP ToS Unreachable flows from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end.

 

2.ICMP ToS Unreachable flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the destination end.

DoS / Flash Crowd

ICMP ToS Unreachable Outflood

 

1. ICMP ToS Unreachable flows from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end.

 

2. ICMP ToS Unreachable flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the source end.

 

DoS / Flash Crowd
ICMP ToS Unreachable Host Scan

1. ICMP ToS Unreachable flows from single/multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end.

 

2. ICMP ToS Unreachable flows from single/multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end.

Scans / Probes
ICMP ToS Unreachable Host Scan(Reverse)

1. ICMP ToS Unreachable flows from multiple source hosts to single/multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end.

 

2. ICMP ToS Unreachable flows from multiple source hosts to single/multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the source end.

Scans / Probes
     
Malformed ICMP Packets ICMP Flows with BytePerPacket less than the minimum 28 octets (bytes) touching or exceeding the Upper Limit and none of the following derived problems gets satisfied Suspect Flows
Malformed ICMP Inflood

1.Malformed ICMP flows from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end.

 

2.Malformed ICMP flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the destination end.

DoS / Flash Crowd
Malformed ICMP Outflood

1. Malformed ICMP flows from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end.

 

2. Malformed ICMP flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the source end.

DoS / Flash Crowd
Malformed ICMP Host Scan

1. Malformed ICMP flows from single/multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end.

 

2. Malformed ICMP flows from single/multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end.

Scans / Probes
Malformed ICMP Host Scan(Reverse)

1. Malformed ICMP flows from multiple source hosts to single/multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end.

 

2. Malformed ICMP flows from multiple source hosts to single/multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the source end.

Scans / Probes
     
ICMP Datagram Conversion Error Flows ICMP Datagram Conversion Error Flows with Dst Port value equals 7936/Datagram Conversion Error ie., for valid datagrams touching or exceeding the Upper Limit and none of the following derived problems gets satisfied . Suspect Flows

ICMP Datagram Conversion Error Inflood

1.ICMP Datagram Conversion Error flows from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end.

 

2.ICMP Datagram Conversion Error flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the destination end.

DoS / Flash Crowd

ICMP Datagram Conversion Error Outflood

1. ICMP Datagram Conversion Error flows from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end.

 

2. ICMP Datagram Conversion Error flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the source end.

DoS / Flash Crowd
ICMP Datagram Conversion Error Host Scan

1. ICMP Datagram Conversion Error flows from single/multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end.

 

2. ICMP Datagram Conversion Error flows from single/multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end.

Scans / Probes
ICMP Datagram Conversion Error Host Scan(Reverse)

1. ICMP Datagram Conversion Error flows from multiple source hosts to single/multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end.

 

2. ICMP Datagram Conversion Error flows from multiple source hosts to single/multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the source end.

Scans / Probes
     
Excess UDP Echo Responses UDP Echo Response from Src Port 7 (Echo) touching or exceeding the Upper Limit and none of the following derived problems gets satisfied Suspect Flows
UDP Echo Response Inflood

1.UDP Echo Responses from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end.

 

2.UDP Echo Responses from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the destination end.

DoS / Flash Crowd
UDP Echo Response Outflood

1. UDP Echo Responses from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end.

 

2. UDP Echo Responses from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the source end.

DoS / Flash Crowd
UDP Echo Response Port Scan

1. UDP Echo Responses from single/multiple source hosts to single destination host on multiple destination ports exceeding Minimum Vertical Span at the destination end.

 

2. UDP Echo Responses from single/multiple source hosts to fewer destination hosts on multiple destination ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end.

Scans / Probes
UDP Echo Response Host Scan

1. UDP Echo Responses from single/multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end.

 

2. UDP Echo Responses from single/multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end.

Scans / Probes
UDP Echo Response Diagonal Scan UDP Echo Responses from single/multiple source hosts to multiple destination hosts where the number of distinct destination hosts is equal to the number of distinct destination ports which is also equal to the number of destination end points exceeding Minimum Diagonal Span at the destination end (hosts = ports = endpoints) Scans / Probes
UDP Echo Response Grid Scan UDP Echo Responses from single/multiple source hosts to multiple destination hosts on multiple destination ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the destination end Scans / Probes
UDP Echo Response Host Scan(Reverse)

1. UDP Echo Responses from multiple source hosts to single/multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end.

 

2. UDP Echo Responses from multiple source hosts to single/multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the source end.

Scans / Probes
     
Excess UDP Echo Requests UDP Echo Request to Dst Port 7 (Echo) touching or exceeding the Upper Limit and none of the following derived problems gets satisfied Suspect Flows
UDP Echo Request Inflood

1.UDP Echo Requests from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end.

 

2.UDP Echo Requests from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the destination end.

DoS / Flash Crowd
UDP Echo Request Outflood

1. UDP Echo requests from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end.

 

2. UDP Echo requests from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the source end.

DoS / Flash Crowd
UDP Echo Request Host Scan

1. UDP Echo requests from single/multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end.

 

2. UDP Echo requests from single/multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end.

Scans / Probes
UDP Echo Request Port Scan(Reverse)

1. UDP Echo requests from single source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span at the source end.

 

2. UDP Echo requests from fewer source hosts to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the source end.

Scans / Probes
UDP Echo Request Host Scan(Reverse)

1. UDP Echo requests from multiple source hosts to single/multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end.

2. UDP Echo requests from multiple source hosts to single/multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the source end.

Scans / Probes
UDP Echo Request Diagonal Scan(Reverse) UDP Echo requests from multiple source hosts to single/multiple destination hosts where the number of distinct source hosts is equal to the number of distinct source ports which is also equal to the number of source end points exceeding Minimum Diagonal Span at the source end (hosts = ports = endpoints). Scans / Probes
UDP Echo Request Grid Scan(Reverse) UDP Echo requests from multiple source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the source end. Scans / Probes
     
UDP Echo Request Broadcasts UDP Echo Request to Dst Port 7 (Echo) sent to a Broadcast/Multicast IP touching or exceeding the Upper Limit and none of the following derived problems gets satisfied . Indicates possible amplification attack on the Src IP. DoS / Flash Crowd
UDP Echo Request Broadcast Attack UDP Echo Request Broadcast flows from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end . DoS / Flash Crowd
UDP Echo Request Broadcast Inflood

UDP Echo Request Broadcast flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the destination end.

DoS / Flash Crowd
UDP Echo Request Broadcast Outflood

1. UDP Echo Request Broadcast flows from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end.

 

2. UDP Echo Request Broadcast flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the source end.

DoS / Flash Crowd
UDP Echo Request Broadcast Host Scan

1.UDP Echo Request Broadcast flows from single/multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end.

 

2. UDP Echo Request Broadcast flows from single/multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end.

Scans / Probes
UDP Echo Request Broadcast Port Scan(Reverse)

1. UDP Echo Request Broadcast flows from single source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span at the source end.

 

2. UDP Echo Request Broadcast from fewer source hosts to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the source end.

Scans / Probes
UDP Echo Request Broadcast Host Scan(Reverse)

1. UDP Echo Request Broadcast flows from multiple source hosts to single/multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end.

 

2. UDP Echo Request Broadcast flows from multiple source hosts to single/multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the source end.

Scans / Probes
UDP Echo Request Broadcast Diagonal Scan(Reverse) UDP Echo Request Broadcast flows from multiple source hosts to single/multiple destination hosts where the number of distinct source hosts is equal to the number of distinct source ports which is also equal to the number of source end points exceeding Minimum Diagonal Span at the source end (hosts = ports = endpoints). Scans / Probes
UDP Echo Request Broadcast Grid Scan(Reverse) UDP Echo Request Broadcast flows from multiple source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the source end. Scans / Probes
     
UDP Chargen-Echo Broadcasts UDP Flows, from Src Port 19/Chargen to Dst Port 7/Echo, sent to a Broadcast/Multicast IP touching or exceeding the Upper Limit and none of the following derived problems gets satisfied . Indicates possible amplification attack on the Src IP DoS / Flash Crowd
UDP Chargen-Echo Broadcast Attack UDP Chargen-Echo Broadcast flows from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end . DoS / Flash Crowd
UDP Chargen-Echo Broadcast Inflood

UDP Chargen-Echo Broadcast flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the destination end.

DoS / Flash Crowd

UDP Chargen-Echo Broadcast Outflood

 

1. UDP Chargen-Echo Broadcast flows from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end.

 

2. UDP Chargen-Echo Broadcast flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the source end.

DoS / Flash Crowd
UDP Chargen-Echo Broadcast Host Scan

1. UDP Chargen-Echo Broadcast flows from single/multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end.

 

2. UDP Chargen-Echo Broadcast flows from single/multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end.

Scans / Probes
UDP Chargen-Echo Broadcast Host Scan(Reverse)

1. UDP Chargen-Echo Broadcast flows from multiple source hosts to single/multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end.

 

2. UDP Chargen-Echo Broadcast flows from multiple source hosts to single/multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the source end.

Scans / Probes
     
UDP Echo-Chargen Broadcasts UDP Flows, from Src Port 7/Echo to Dst Port 19/Chargen, sent to a Broadcast/Multicast IP touching or exceeding the Upper Limit and none of the following derived problems gets satisfied . Indicates possible amplification attack on the Src IP. DoS / Flash Crowd
UDP Echo-Chargen Broadcast Attack UDP Echo-Chargen Broadcast flows from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end DoS / Flash Crowd
UDP Echo-Chargen Broadcast Inflood

UDP Echo-Chargen Broadcastflows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the destination end.

DoS / Flash Crowd
UDP Echo-Chargen Broadcast Outflood

1. UDP Echo-Chargen Broadcast flows from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end.

 

2. UDP Echo-Chargen Broadcast flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the source end.

DoS / Flash Crowd
UDP Echo-Chargen Broadcast Host Scan

1. UDP Echo-Chargen Broadcast flows from single/multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end.

 

2. UDP Echo-Chargen Broadcast flows from single/multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end.
Scans / Probes
UDP Echo-Chargen Broadcast Host Scan(Reverse)

1. UDP Echo-Chargen Broadcast flows from multiple source hosts to single/multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end.

 

2. UDP Echo-Chargen Broadcast flows from multiple source hosts to single/multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the source end.

Scans / Probes
     
Excess Empty UDP Packets UDP Flows without any payload ie., BytePerPacket exactly 28 octets (bytes) touching or exceeding the Upper Limit and none of the following derived problems gets satisfied Suspect Flows
Empty UDP Attack Empty UDP flows from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end DoS / Flash Crowd
Empty UDP Inflood

Empty UDP flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the destination end.

DoS / Flash Crowd
Empty UDP Outflood

1. Empty UDP flows from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end.

 

2. Empty UDP flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the source end.

DoS / Flash Crowd
Empty UDP Port Scan

1. Empty UDP flows from single/multiple source hosts to single destination host on multiple destination ports exceeding Minimum Vertical Span at the destination end.

 

2. Empty UDP flows from single/multiple source hosts to fewer destination hosts on multiple destination ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end.

Scans / Probes
Empty UDP Host Scan

1. Empty UDP flows from single/multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end.

 

2.Empty UDP flows from single/multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end.

Scans / Probes
Empty UDP Diagonal Scan Empty UDP flows from single/multiple source hosts to multiple destination hosts where the number of distinct destination hosts is equal to the number of distinct destination ports which is also equal to the number of destination end points exceeding Minimum Diagonal Span at the destination end (hosts = ports = endpoints) Scans / Probes
Empty UDP Grid Scan Empty UDP flowsfrom single/multiple source hosts to multiple destination hosts on multiple destination ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the destination end Scans / Probes
Empty UDP Port Scan(Reverse)

1. Empty UDP flows from single source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span at the source end.

 

2. Empty UDP flows Flows from fewer source hosts to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the source end.

Scans / Probes
Empty UDP Host Scan(Reverse)

1. Empty UDP flows from multiple source hosts to single/multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end.

 

2. Empty UDP flows from multiple source hosts to single/multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the source end.

Scans / Probes
Empty UDP Diagonal Scan(Reverse) Empty UDP flows from multiple source hosts to single/multiple destination hosts where the number of distinct source hosts is equal to the number of distinct source ports which is also equal to the number of source end points exceeding Minimum Diagonal Span at the source end (hosts = ports = endpoints) Scans / Probes
Empty UDP Grid Scan(Reverse) Empty UDP flows from multiple source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the source end. Scans / Probes
     
Excess Short UDP Packets UDP Flows with nominal payload ie., BytePerPacket between 29 and 32 octets (bytes), touching or exceeding the Upper Limit and none of the following derived problems gets satisfied Suspect Flows
Short UDP Attack Short UDP flows from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end . DoS / Flash Crowd
Short UDP Inflood

Short UDP flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the destination end.

DoS / Flash Crowd
Short UDP Outflood

1. Short UDP flows from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end.

 

2. Short UDP flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the source end.

DoS / Flash Crowd
Short UDP Port Scan

1. Short UDP flows from single/multiple source hosts to single destination host on multiple destination ports exceeding Minimum Vertical Span at the destination end.

 

2. Short UDP flows from single/multiple source hosts to fewer destination hosts on multiple destination ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end.

Scans / Probes
Short UDP Host Scan

1. Short UDP flows from single/multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end.

 

2. Short UDP flows from single/multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end.

Scans / Probes
Short UDP Diagonal Scan Short UDP flows from single/multiple source hosts to multiple destination hosts where the number of distinct destination hosts is equal to the number of distinct destination ports which is also equal to the number of destination end points exceeding Minimum Diagonal Span at the destination end (hosts = ports = endpoints) Scans / Probes
Short UDP Grid Scan Short UDP flows from single/multiple source hosts to multiple destination hosts on multiple destination ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the destination end Scans / Probes
Short UDP Port Scan(Reverse)

1. Short UDP flows from single source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span at the source end.

 

2. Short UDP flows from fewer source hosts to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the source end.

Scans / Probes
Short UDP Host Scan(Reverse)

1. Short UDP flows from multiple source hosts to single/multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end.

 

2. Short UDP flows from multiple source hosts to single/multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the source end.

Scans / Probes
Short UDP Diagonal Scan(Reverse) Short UDP flows from multiple source hosts to single/multiple destination hosts where the number of distinct source hosts is equal to the number of distinct source ports which is also equal to the number of source end points exceeding Minimum Diagonal Span at the source end (hosts = ports = endpoints). Scans / Probes
Short UDP Grid Scan(Reverse) Short UDP flows from multiple source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the source end. Scans / Probes
     
Malformed UDP Packets UDP Flows with BytePerPacket less than the minimum 28 octets (bytes) touching or exceeding the Upper Limit and none of the following derived problems gets satisfied Suspect Flows
Malformed UDP Attack Malformed UDP flows from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end . DoS / Flash Crowd
Malformed UDP Inflood

Malformed UDP flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the destination end.

DoS / Flash Crowd
Malformed UDP Outflood

1. Malformed UDP flows from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end.

 

2. Malformed UDP flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the source end.

DoS / Flash Crowd
Malformed UDP Port Scan

1. Malformed UDP flows from single/multiple source hosts to single destination host on multiple destination ports exceeding Minimum Vertical Span at the destination end.

 

2. Malformed UDP flows from single/multiple source hosts to fewer destination hosts on multiple destination ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end.

Scans / Probes
Malformed UDP Host Scan

1. Malformed UDP flows from single/multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end.

 

2. Malformed UDP flows from single/multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end.

Scans / Probes
Malformed UDP Diagonal Scan Malformed UDP flows from single/multiple source hosts to multiple destination hosts where the number of distinct destination hosts is equal to the number of distinct destination ports which is also equal to the number of destination end points exceeding Minimum Diagonal Span at the destination end (hosts = ports = endpoints) Scans / Probes
Malformed UDP Grid Scan Malformed UDP flowsfrom single/multiple source hosts to multiple destination hosts on multiple destination ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the destination end Scans / Probes
Malformed UDP Port Scan(Reverse)

1. Malformed UDP flows from single source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span at the source end.

 

2. Malformed UDP flows from fewer source hosts to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the source end.

Scans / Probes
Malformed UDP Host Scan(Reverse)

1. Malformed UDP flows from multiple source hosts to single/multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end.

 

2. Malformed UDP flows from multiple source hosts to single/multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the source end.

Scans / Probes
Malformed UDP Diagonal Scan(Reverse) Malformed UDP flows from multiple source hosts to single/multiple destination hosts where the number of distinct source hosts is equal to the number of distinct source ports which is also equal to the number of source end points exceeding Minimum Diagonal Span at the source end (hosts = ports = endpoints). Scans / Probes
Malformed UDP Grid Scan(Reverse) Malformed UDP flows from multiple source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the source end. Scans / Probes
     
Snork Attack Flows UDP Flows with Src Port IN (7, 19, 135) and Dst Port IN (135) touching or exceeding the Upper Limit and none of the following derived problems gets satisfied . Indicates denial of service attack against Windows NT RPC Service DoS / Flash Crowd
UDP Snork Attack UDP Snork flows from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end . DoS / Flash Crowd
UDP Snork Inflood

UDP Snork flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the destination end

DoS / Flash Crowd
UDP Snork Outflood

1. UDP Snork flows from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end.

 

2. UDP Snork flows. from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the source end.

DoS / Flash Crowd
UDP Snork Host Scan

1. UDP Snork flows from single/multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end.

 

2. UDP Snork flows from single/multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end.

Scans / Probes
UDP Snork Host Scan(Reverse)

1. UDP Snork flows from multiple source hosts to single/multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end.

 

2. UDP Snork flows from multiple source hosts to single/multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the source end.

Scans / Probes
Excess UDP Chargen-Echo Flows UDP Flows, from Src Port 19/Chargen to Dst Port 7/Echo, sent to any unicast IP touching or exceeding the Upper Limit and none of the following derived problems gets satisfied . Indicates possible amplification attack on the Src IP. DoS / Flash Crowd
UDP Chargen-Echo Inflood

1.UDP Chargen-Echo flows from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end.

 

2.UDP Chargen-Echo flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the destination end

DoS / Flash Crowd
UDP Chargen-Echo Outflood

1. UDP Chargen-Echo flows from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end.

 

2. UDP Chargen-Echo flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the source end.

DoS / Flash Crowd
UDP Chargen-Echo Host Scan

1. UDP Chargen-Echo flows from single/multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end.

 

2. UDP Chargen-Echo flows from single/multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end.

Scans / Probes
UDP Chargen-Echo Host Scan(Reverse)

1. UDP Chargen-Echo flows from multiple source hosts to single/multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end.

 

2. UDP Chargen-Echo flows from multiple source hosts to single/multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the source end.

Scans / Probes
     
Excess UDP Echo-Chargen Flows UDP Flows, from Src Port 7/Echo to Dst Port 19/Chargen, sent to any unicast IP touching or exceeding the Upper Limit and none of the following derived problems gets satisfied . Indicates possible amplification attack on the Src IP. DoS / Flash Crowd
UDP Echo-Chargen Inflood

1.UDP Echo-Chargen flows from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end.

 

2.UDP Echo-Chargen flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the destination end.

DoS / Flash Crowd
UDP Echo-Chargen Outflood

1. UDP Echo-Chargen flows from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end.

 

2. UDP Echo-Chargen flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the source end.

DoS / Flash Crowd
UDP Echo-Chargen Host Scan

1. UDP Echo-Chargen flows from single/multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end.

 

2. UDP Echo-Chargen flows from single/multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end.

Scans / Probes
UDP Echo-Chargen Host Scan(Reverse)

1. UDP Echo-Chargen flows from multiple source hosts to single/multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end.

 

2. UDP Echo-Chargen flows from multiple source hosts to single/multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the source end.

Scans / Probes