Help
Advanced Security Analytics Module
The table below lists some of the important abbreviations with their fully expanded word/phrase used in this document
|
Setting |
Description |
|
IP |
Internet Protocol Address |
|
Src |
Source |
|
Dst |
Destination |
|
P2P |
Peer to Peer |
|
ToS |
Type of Service |
|
DoS |
Denial of Service |
|
TCP: U-A-P-R-S-F |
TCP: Urg – Ack – Psh – Rst – Syn – Fin |
The table below lists the set of classes used for classifying problems with a brief description
|
Class Name |
Description |
|
Bad Src – Dst |
Either the Src IP or the Dst IP of the flow is suspicious |
|
Suspect Flows |
Some attribute(s) other than Src IP and Dst IP of the flow is suspicious |
|
DoS |
Denial of Service Attack |
|
Scans and Probes |
Flows are sent to a specific host using multiple ports or to multiple hosts on single port. |
The table below lists different threshold definitions.
|
Aggregation Limit Settings |
|
|
Lower Limit |
Minimum number of flows required for performing heuristical analysis and verifying the presence of derived problems like Port Scan, Host Scan, Inflood, etc. |
| Upper Limit
|
Maximum number of flows accrued in a single event under default configuration and it is also the threshold used for base problems like TCP Syn Violations, TCP Fin Violations, etc. |
|
Source Pattern Settings |
|
| Minimum Horizontal Span | Minimum number of distinct source hosts - Host Scan (Reverse) |
| Minimum Vertical Span | Minimum number of distinct source ports - Port Scan (Reverse) |
| Minimum Diagonal Span | Minimum number of distinct source end points under the constraint: (source hosts = source ports = source end points) - Diagonal Scan (Reverse) |
| Minimum Aspect Ratio |
1. Minimum source hosts per source ports - Host Scan (Reverse) 2. Minimum source ports per source hosts - Port Scan (Reverse) |
| Minimum Occupancy | Minimum spread of source end points in an Event - Host Scan (Reverse), Port Scan (Reverse), Grid Scan (Reverse)
Occupancy = Source End Points/(Source Hosts * Source Ports) |
| Minimum Flux Rate | Minimum hits per source end points – Outflood |
| Minumum Divergence | Mimimum destination hosts per source hosts - Outflood |
|
Destination Pattern Settings |
|
| Minimum Horizontal Span | Minimum number of distinct destination hosts - Host Scan |
| Minimum Vertical Span | Minimum number of distinct destination ports - Port Scan |
| Minimum Diagonal Span | Minimum number of distinct destination end points under the constraint: (destination hosts = destination ports = destination end points) - Diagonal Scan |
| Minimum Aspect Ratio |
1. Minimum source hosts per destination ports - Host Scan 2. Minimum source ports per destination hosts - Port Scan |
| Minimum Occupancy | Minimum spread of destination end points in an Event - Host Scan, Port Scan, Grid Scan
Occupancy = destination End Points/(destination Hosts * destination Ports) |
| Minimum Flux Rate | Minimum hits per destination end points – Inflood |
| Minumum Convergence | Mimimum destination hosts per destination hosts - Inflood |
The table below lists the anomalies detected by advanced security analytics module
|
Anomaly |
Description |
|
Attack |
Flows from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end . |
|
Inflood |
Flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the destination end. |
|
Outflood
|
1. Flows from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end.
2. Flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the source end. |
|
Port Scan
|
1. Flows from single/multiple source hosts to single destination host on multiple destination ports exceeding Minimum Vertical Span at the destination end.
2. Flows from single/multiple source hosts to fewer destination hosts on multiple destination ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end. |
|
Host Scan
|
1. Flows from single/multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end.
2. Flows from single/multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end. |
|
Diagonal Scan |
Flows from single/multiple source hosts to multiple destination hosts where the number of distinct destination hosts is equal to the number of distinct destination ports which is also equal to the number of destination end points exceeding Minimum Diagonal Span at the destination end (hosts = ports = endpoints) |
|
Grid Scan |
Flows from single/multiple source hosts to multiple destination hosts on multiple destination ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the destination end. |
|
Port Scan(Reverse)
|
1. Flows from single source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span at the source end.
2. Flows from fewer source hosts to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the source end. |
|
Host Scan(Reverse) |
1. Flows from multiple source hosts to single/multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end.
2. Flows from multiple source hosts to single/multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the source end. |
|
Diagonal Scan(Reverse)
|
Flows from multiple source hosts to single/multiple destination hosts where the number of distinct source hosts is equal to the number of distinct source ports which is also equal to the number of source end points exceeding Minimum Diagonal Span at the source end (hosts = ports = endpoints). |
|
Grid Scan(Reverse)
|
Flows from multiple source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the source end. |
The table below lists the set of problems detected, their classification followed by a brief description
|
Problem Name |
Description |
Class |
| Excess Broadcast Flows | Broadcast traffic exceeds threshold for any given Src IP | Bad Src-Dst |
| Excess Multicast Flows | Multicast traffic exceeds threshold for any given Src IP | Bad Src-Dst |
| Excess Networkcast Flows | Network IP destined traffic exceeds threshold for any given Src IP | Bad Src-Dst |
| Invalid Src-Dst Flows | Invalid Src or Dst IP irrespective of whatever be the enterprise perimeter, for example, Loopback IPs or IANA Local IPs in either Src or Dst IP | Bad Src-Dst |
| Invalid ToS Flows | Flows with invalid ToS values | Bad Src-Dst |
| Land Attack Flows | Flows with the same Src IP & Dst IP. Causes the target machine to reply to itself continuously | Bad Src-Dst |
| Malformed IP Packets | Flows with BytePerPacket less than or equal to the minimum 20 octets (bytes) | Bad Src-Dst |
| Non Unicast Source Flows | Src IP is either Multicast or Broadcast or Network IP i.e., not Unicast | Bad Src-Dst |
| TCP Syn Violations | TCP Flows with TCP Flags value equals 2/Syn touching or exceeding the Upper Limit and none of the following derived problems gets satisfied | Suspect Flows |
|
TCP Syn Flows from multiple source hosts to fewer destination hosts exceeding Minimum Flux Rate and Minimum Convergence at the destination end. |
DoS / Flash Crowd | |
| TCP Syn Inflood | TCP Syn Flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the destination end. | DoS / Flash Crowd |
| TCP Syn Outflood |
1. TCP Syn Flows from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end.
2. TCP Syn Flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the source end. |
DoS / Flash Crowd |
| TCP Syn Port Scan |
1. TCP Syn Flows from single/multiple source hosts to single destination host on multiple destination ports exceeding Minimum Vertical Span at the destination end.
2. TCP Syn Flows from single/multiple source hosts to fewer destination hosts on multiple destination ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end. |
Scans / Probes |
| TCP Syn Host Scan |
1. TCP Syn Flows from single/multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end.
2. TCP Syn Flows from single/multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end. |
Scans / Probes |
| TCP Syn Diagonal Scan | TCP Syn Flows from single/multiple source hosts to multiple destination hosts where the number of distinct destination hosts is equal to the number of distinct destination ports which is also equal to the number of destination end points exceeding Minimum Diagonal Span at the destination end (hosts = ports = endpoints) | Scans / Probes |
| TCP Syn Grid Scan | TCP Syn Flows from single/multiple source hosts to multiple destination hosts on multiple destination ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the destination end. | Scans / Probes |
| TCP Syn Port Scan(Reverse) |
1. TCP Syn Flows from single source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span at the source end.
2. TCP Syn Flows from fewer source hosts to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the source end. |
Scans / Probes |
| TCP Syn Host Scan(Reverse) |
1. TCP Syn Flows from multiple source hosts to single/multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end.
2. TCP Syn Flows from multiple source hosts to single/multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the source end. |
Scans / Probes |
|
TCP Syn Diagonal Scan(Reverse) |
TCP Syn Flows from multiple source hosts to single/multiple destination hosts where the number of distinct source hosts is equal to the number of distinct source ports which is also equal to the number of source end points exceeding Minimum Diagonal Span at the source end (hosts = ports = endpoints). |
Scans / Probes |
|
TCP Syn Grid Scan(Reverse) |
TCP Syn Flows from single/multiple source hosts to multiple destination hosts on multiple destination ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the destination end. |
Scans / Probes |
| Excess Short TCP Syn_Ack Packets | TCP Flows with nominal payload ie., BytePerPacket between 40 and 44 octets (bytes) and TCP Flags value equals 18/SA touching or exceeding the Upper Limit and none of the following derived problems gets satisfied | Suspect Flows |
| Short TCP Syn_Ack Inflood |
1.Short TCP Syn_Ack Flows from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end.
2. Short TCP Syn_Ack Flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the destination end. |
DoS / Flash Crowd |
| Short TCP Syn_Ack Outflood |
1. Short TCP Syn_Ack Flows from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end.
2. Short TCP Syn_Ack Flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the source end. |
DoS / Flash Crowd |
| Short TCP Syn_Ack Port Scan | 1. Short TCP Syn_Ack Flows from single/multiple source hosts to single destination host on multiple destination ports exceeding Minimum Vertical Span at the destination end.
2. Short TCP Syn_Ack Flows from single/multiple source hosts to fewer destination hosts on multiple destination ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end. |
Scans / Probes |
| Short TCP Syn_Ack Host Scan | 1. Short TCP Syn_Ack Flows from single/multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end.
2. Short TCP Syn_Ack Flows from single/multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end. |
Scans / Probes |
| Short TCP Syn_Ack Diagonal Scan | Short TCP Syn_Ack Flows from single/multiple source hosts to multiple destination hosts where the number of distinct destination hosts is equal to the number of distinct destination ports which is also equal to the number of destination end points exceeding Minimum Diagonal Span at the destination end (hosts = ports = endpoints) | Scans / Probes |
| Short TCP Syn_Ack Grid Scan | Short TCP Syn_Ack from single/multiple source hosts to multiple destination hosts on multiple destination ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the destination end. | Scans / Probes |
| Short TCP Syn_Ack Port Scan(Reverse) |
1. Short TCP Syn_Ack Flows from single source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span at the source end.
2. Short TCP Syn_Ack Flows from fewer source hosts to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the source end. |
Scans / Probes |
| Short TCP Syn_Ack Host Scan(Reverse) |
1. Short TCP Syn_Ack Flows from multiple source hosts to single/multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end.
2. Short TCP Syn_Ack Flows from multiple source hosts to single/multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the source end. |
Scans / Probes |
| Short TCP Syn_Ack Diagonal Scan(Reverse) | Short TCP Syn_Ack Flows from multiple source hosts to single/multiple destination hosts where the number of distinct source hosts is equal to the number of distinct source ports which is also equal to the number of source end points exceeding Minimum Diagonal Span at the source end (hosts = ports = endpoints). | Scans / Probes |
| Short TCP Syn_Ack Grid Scan(Reverse) | Short TCP Syn_Ack Flows from multiple source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the source end. | Scans / Probes |
| Excess Empty TCP Packets | TCP Flows without any payload ie., BytePerPacket exactly 40 octets (bytes) with TCP FLAGS value IN (25–27, 29–31) touching or exceeding the Upper Limit and none of the following derived problems gets satisfied | |
| Empty TCP Attack | Empty TCP flows from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end. | DoS / Flash Crowd |
| Empty TCP Inflood | Empty TCP flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the destination end. | DoS / Flash Crowd |
| Empty TCP Outflood |
1. Empty TCP Flows without any payload i.e., BytePerPacket exactly 40 octets (bytes) from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end.
2. Empty TCP flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the source end. |
DoS / Flash Crowd |
| Empty TCP Port Scan |
1. Empty TCP flows from single/multiple source hosts to single destination host on multiple destination ports exceeding Minimum Vertical Span at the destination end.
2. Empty TCP flows from single/multiple source hosts to fewer destination hosts on multiple destination ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end. |
Scans / Probes |
| >Empty TCP Host Scan |
1. Empty TCP flows from single/multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end.
2. Empty TCP flows from single/multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end. |
Scans / Probes |
| Suspect Flows | ||
| Empty TCP Diagonal Scan | Empty TCP flows from single/multiple source hosts to multiple destination hosts where the number of distinct destination hosts is equal to the number of distinct destination ports which is also equal to the number of destination end points exceeding Minimum Diagonal Span at the destination end (hosts = ports = endpoints) | Scans / Probes |
| Empty TCP Grid Scan | Empty TCP flows from single/multiple source hosts to multiple destination hosts on multiple destination ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the destination end | Scans / Probes |
| Empty TCP Port Scan(Reverse) |
1. Empty TCP flows from single source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span at the source end.
2. Empty TCP flows from fewer source hosts to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the source end. |
Scans / Probes |
| Empty TCP Host Scan(Reverse) |
1. Empty TCP flows from multiple source hosts to single/multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end.
2. Empty TCP flows from multiple source hosts to single/multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the source end. |
Scans / Probes |
| Empty TCP Diagonal Scan(Reverse) | Empty TCP flows from multiple source hosts to single/multiple destination hosts where the number of distinct source hosts is equal to the number of distinct source ports which is also equal to the number of source end points exceeding Minimum Diagonal Span at the source end (hosts = ports = endpoints). | Scans / Probes |
| Empty TCP Grid Scan(Reverse) | Empty TCP flows from multiple source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the source end. | Scans / Probes |
| Excess Short TCP Ack Packets | TCP Flows with nominal payload ie., BytePerPacket between 40 and 44 octets (bytes) and TCP Flags value equals 16/A, denoting TCP Ack, touching or exceeding the Upper Limit and none of the following derived problems gets satisfied | Suspect Flows |
| Short TCP Ack Inflood |
1.Short TCP Ack flows from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end.
2. Short TCP Ack flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the destination end. |
DoS / Flash Crowd |
| Short TCP Ack Outflood |
1. Short TCP Ack flows from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end.
2. Short TCP Ack flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the source end. |
DoS / Flash Crowd |
| Short TCP Ack Port Scan |
1. Short TCP Ack flows from single/multiple source hosts to single destination host on multiple destination ports exceeding Minimum Vertical Span at the destination end.
2. Short TCP Ack flows from single/multiple source hosts to fewer destination hosts on multiple destination ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end. |
Scans / Probes |
| Short TCP Ack Host Scan |
1. Short TCP Ack flows from single/multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end.
2. Short TCP Ack flows from single/multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end. |
Scans / Probes |
| Short TCP Ack Diagonal Scan | Short TCP Ack flows from single/multiple source hosts to multiple destination hosts where the number of distinct destination hosts is equal to the number of distinct destination ports which is also equal to the number of destination end points exceeding Minimum Diagonal Span at the destination end (hosts = ports = endpoints) | Scans / Probes |
| Short TCP Ack Grid Scan | Short TCP Ack flowsfrom single/multiple source hosts to multiple destination hosts on multiple destination ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the destination end | Scans / Probes |
| Short TCP Ack Port Scan(Reverse) |
1. Short TCP Ack flows from single source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span at the source end.
2.Short TCP Ack flows from fewer source hosts to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the source end. |
Scans / Probes |
| Short TCP Ack Host Scan(Reverse) |
1. Short TCP Ack flows from multiple source hosts to single/multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end.
2. Short TCP Ack flows from multiple source hosts to single/multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the source end. |
Scans / Probes |
| Short TCP Ack Diagonal Scan(Reverse) | Short TCP Ack flows from multiple source hosts to single/multiple destination hosts where the number of distinct source hosts is equal to the number of distinct source ports which is also equal to the number of source end points exceeding Minimum Diagonal Span at the source end (hosts = ports = endpoints). | Scans / Probes |
|
Short TCP Ack Grid Scan(Reverse) |
Short TCP Ack flows from multiple source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the source end. | Scans / Probes |
| Excess Short TCP Fin_Ack Packets | TCP Flows with nominal payload i.e., BytePerPacket between 40 and 44 octets (bytes) and TCP Flags value equals 17/FA touching or exceeding the Upper Limit and none of the following derived problems gets satisfied | Suspect Flows |
|
1.Short TCP Fin_Ack flows from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end.
2.Short TCP Fin_Ack flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the destination end. |
DoS / Flash Crowd | |
| Short TCP Fin_Ack Outflood |
1. Short TCP Fin_Ack flows from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end.
2. Short TCP Fin_Ack flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the source end. |
DoS / Flash Crowd |
| Short TCP Fin_Ack Port Scan |
1. Short TCP Fin_Ack flows from single/multiple source hosts to single destination host on multiple destination ports exceeding Minimum Vertical Span at the destination end.
2. Short TCP Fin_Ack flows from single/multiple source hosts to fewer destination hosts on multiple destination ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end. |
Scans / Probes |
| Short TCP Fin_Ack Host Scan |
1. Short TCP Fin_Ack flows from single/multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end.
2. Short TCP Fin_Ack flows from single/multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end. |
Scans / Probes |
| Short TCP Fin_Ack Diagonal Scan | Short TCP Fin_Ack flows from single/multiple source hosts to multiple destination hosts where the number of distinct destination hosts is equal to the number of distinct destination ports which is also equal to the number of destination end points exceeding Minimum Diagonal Span at the destination end (hosts = ports = endpoints) | Scans / Probes |
| Short TCP Fin_Ack Grid Scan | Short TCP Fin_Ack flowsfrom single/multiple source hosts to multiple destination hosts on multiple destination ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the destination end | Scans / Probes |
| Short TCP Fin_Ack Port Scan(Reverse) |
1. Short TCP Fin_Ack flows from single source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span at the source end.
2. Short TCP Fin_Ack flows from fewer source hosts to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the source end. |
Scans / Probes |
| Short TCP Fin_Ack Host Scan(Reverse) |
1.Short TCP Fin_Ack flows from multiple source hosts to single/multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end.
2.Short TCP Fin_Ack flows from multiple source hosts to single/multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the source end. |
Scans / Probes |
| Short TCP Fin_Ack Diagonal Scan(Reverse) | Short TCP Fin_Ack flows from multiple source hosts to single/multiple destination hosts where the number of distinct source hosts is equal to the number of distinct source ports which is also equal to the number of source end points exceeding Minimum Diagonal Span at the source end (hosts = ports = endpoints). | Scans / Probes |
| Short TCP Fin_Ack Grid Scan(Reverse) | Short TCP Fin_Ack flows from multiple source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the source end. | Scans / Probes |
| Excess Short TCP Handshake Packets | TCP Flows with nominal payload i.e., BytePerPacket between 40 and 44 octets (bytes) and TCP Flags value IN (19/ASF, 22/ARS, 23/ARSF), denoting opened & closed TCP Sessions, touching or exceeding the Upper Limit and none of the following derived problems gets satisfied | Suspect Flows |
| Short TCP Handshake Attack | Short TCP Handshake flows from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end . | DoS / Flash Crowd |
| Short TCP Handshake Inflood | Short TCP Handshake flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the destination end. | DoS / Flash Crowd |
| Short TCP Handshake Outflood |
1. Short TCP Handshake flows from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end.
2. Short TCP Handshake flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the source end. |
DoS / Flash Crowd |
| Short TCP Handshake Port Scan |
1. Short TCP Handshake flows from single/multiple source hosts to single destination host on multiple destination ports exceeding Minimum Vertical Span at the destination end.
2. Short TCP Handshake flows from single/multiple source hosts to fewer destination hosts on multiple destination ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end. |
Scans / Probes |
| Short TCP Handshake Host Scan |
1. Short TCP Handshake flows from single/multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end.
2. Short TCP Handshake flows from single/multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end. |
Scans / Probes |
| Short TCP Handshake Diagonal Scan | Short TCP Handshake flows from single/multiple source hosts to multiple destination hosts where the number of distinct destination hosts is equal to the number of distinct destination ports which is also equal to the number of destination end points exceeding Minimum Diagonal Span at the destination end (hosts = ports = endpoints) | Scans / Probes |
| Short TCP Handshake Grid Scan | Short TCP Handshake flowsfrom single/multiple source hosts to multiple destination hosts on multiple destination ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the destination end | Scans / Probes |
| Short TCP Handshake Port Scan(Reverse) |
1. Short TCP Handshake flows from single source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span at the source end.
2. Short TCP Handshake flows from fewer source hosts to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the source end. |
Scans / Probes |
| Short TCP Handshake Host Scan(Reverse) |
1.Short TCP Handshake flows from multiple source hosts to single/multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end.
2. Short TCP Handshake flows from multiple source hosts to single/multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the source end. |
Scans / Probes |
| Short TCP Handshake Diagonal Scan(Reverse) | Short TCP Handshake flows from multiple source hosts to single/multiple destination hosts where the number of distinct source hosts is equal to the number of distinct source ports which is also equal to the number of source end points exceeding Minimum Diagonal Span at the source end (hosts = ports = endpoints). | Scans / Probes |
| Short TCP Handshake Grid Scan(Reverse) | Short TCP Handshake flows from multiple source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the source end. | Scans / Probes |
| Excess Short TCP Psh_Ack_No-Syn_Fin Packets | TCP Flows with nominal payload ie., BytePerPacket between 40 and 44 octets (bytes) and TCP Flags value IN (24/PA, 28/APR), denoting TCP Psh_Ack but without Syn/Fin, touching or exceeding the Upper Limit and none of the following derived problems gets satisfied | Suspect Flows |
| Short TCP Psh_Ack Attack | Short TCP Psh_Ack flowsfrom multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end . | DoS / Flash Crowd |
| Short TCP Psh_Ack Inflood | Short TCP Psh_Ack flows, from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the destination end. | DoS / Flash Crowd |
| Short TCP Psh_Ack Outflood |
1.Short TCP Psh_Ack flows from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end.
2. Short TCP Psh_Ack flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the source end. |
DoS / Flash Crowd |
| Short TCP Psh_Ack Port Scan |
1. Short TCP Psh_Ack flows from single/multiple source hosts to single destination host on multiple destination ports exceeding Minimum Vertical Span at the destination end.
2. Short TCP Psh_Ack flows from single/multiple source hosts to fewer destination hosts on multiple destination ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end. |
Scans / Probes |
| Short TCP Psh_Ack Host Scan |
1. Short TCP Psh_Ack flowsfrom single/multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end.
2. Short TCP Psh_Ack flows from single/multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end. |
Scans / Probes |
| Short TCP Psh_Ack Diagonal Scan | Short TCP Psh_Ack flows from single/multiple source hosts to multiple destination hosts where the number of distinct destination hosts is equal to the number of distinct destination ports which is also equal to the number of destination end points exceeding Minimum Diagonal Span at the destination end (hosts = ports = endpoints) | Scans / Probes |
| Short TCP Psh_Ack Grid Scan | Short TCP Psh_Ack flowsfrom single/multiple source hosts to multiple destination hosts on multiple destination ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the destination end | Scans / Probes |
| Short TCP Psh_Ack Port Scan(Reverse) |
1.Short TCP Psh_Ack flows from single source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span at the source end.
2. Short TCP Psh_Ack flows, from fewer source hosts to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the source end. |
Scans / Probes |
| Short TCP Psh_Ack Host Scan(Reverse) |
1. Short TCP Psh_Ack flows ,from multiple source hosts to single/multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end.
2. Short TCP Psh_Ack flows , from multiple source hosts to single/multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the source end. |
Scans / Probes |
| Short TCP Psh_Ack Diagonal Scan(Reverse) | Short TCP Psh_Ack flows from multiple source hosts to single/multiple destination hosts where the number of distinct source hosts is equal to the number of distinct source ports which is also equal to the number of source end points exceeding Minimum Diagonal Span at the source end (hosts = ports = endpoints). | Scans / Probes |
| Short TCP Psh_Ack Grid Scan(Reverse) | Short TCP Psh_Ack flows from multiple source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the source end. | Scans / Probes |
|
Excess Short TCP Psh_No-Ack Packets |
TCP Flows with nominal payload ie., BytePerPacket between 40 and 44 octets (bytes) and TCP Flags value IN (8/P, 42/UPS, 43/UPSF, 44/UPR, 45/UPRF, 46/UPRS, 47/UPRSF), denoting TCP Psh but without Ack, touching or exceeding the Upper Limit and none of the following derived problems gets satisfied | Suspect Flows |
| Short TCP Psh Attack | Short TCP Psh flows, from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end . | DoS / Flash Crowd |
| Short TCP Psh Inflood | Short TCP Psh flows, from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the destination end. | DoS / Flash Crowd |
| Short TCP Psh Outflood |
1. Short TCP Psh flows, from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end.
2. Short TCP Psh flows, from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the source end. |
DoS / Flash Crowd |
| Short TCP Psh Port Scan |
1. Short TCP Psh flows, from single/multiple source hosts to single destination host on multiple destination ports exceeding Minimum Vertical Span at the destination end.
2. Short TCP Psh flows, from single/multiple source hosts to fewer destination hosts on multiple destination ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end. |
Scans / Probes |
| Short TCP Psh Host Scan |
1. Short TCP Psh flows, from single/multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end.
2. Short TCP Psh flows, from single/multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end. |
Scans / Probes |
| Short TCP Psh Diagonal Scan | Short TCP Psh flows,from single/multiple source hosts to multiple destination hosts where the number of distinct destination hosts is equal to the number of distinct destination ports which is also equal to the number of destination end points exceeding Minimum Diagonal Span at the destination end (hosts = ports = endpoints) | Scans / Probes |
| Short TCP Psh Grid Scan | Short TCP Psh flows,from single/multiple source hosts to multiple destination hosts on multiple destination ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the source end | Scans / Probes |
| Short TCP Psh Port Scan(Reverse) |
1. Short TCP Psh flows,from single source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span at the source end.
2. Short TCP Psh flows, from fewer source hosts to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the source end. |
Scans / Probes |
| Short TCP Psh Host Scan(Reverse) |
1. Short TCP Psh flows, from multiple source hosts to single/multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end.
2. Short TCP Psh flows, from multiple source hosts to single/multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the source end. |
Scans / Probes |
| Short TCP Psh Diagonal Scan(Reverse) | Short TCP Psh flows, from multiple source hosts to single/multiple destination hosts where the number of distinct source hosts is equal to the number of distinct source ports which is also equal to the number of source end points exceeding Minimum Diagonal Span at the source end (hosts = ports = endpoints). | Scans / Probes |
| Short TCP Psh Grid Scan(Reverse) | Short TCP Psh flows, from multiple source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the source end. | Scans / Probes |
| Excess Short TCP Rst_Ack Packets | TCP Flows with nominal payload ie., BytePerPacket between 40 and 44 octets (bytes) and TCP Flags value IN (20/AR, 21/ARF), denoting TCP Rst_Ack Flows, touching or exceeding the Upper Limit and none of the following derived problems gets satisfied | Suspect Flows |
| Short TCP Rst_Ack Inflood |
1.Short TCP Rst_Ack flows from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end.
2.Short TCP Rst_Ack flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the destination end. |
DoS / Flash Crowd |
| Short TCP Rst_Ack Outflood |
1. Short TCP Rst_Ack flows, from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end.
2. Short TCP Rst_Ack flows, from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the source end. |
DoS / Flash Crowd |
| Short TCP Rst_Ack Port Scan |
1. Short TCP Rst_Ack flows, from single/multiple source hosts to single destination host on multiple destination ports exceeding Minimum Vertical Span at the destination end.
2. Short TCP Rst_Ack flows, from single/multiple source hosts to fewer destination hosts on multiple destination ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end. |
Scans / Probes |
| Short TCP Rst_Ack Host Scan |
1. Short TCP Rst_Ack flows, from single/multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end.
2. Short TCP Rst_Ack flows, from single/multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end. |
Scans / Probes |
| Short TCP Rst_Ack Diagonal Scan | Short TCP Rst_Ack flows, from single/multiple source hosts to multiple destination hosts where the number of distinct destination hosts is equal to the number of distinct destination ports which is also equal to the number of destination end points exceeding Minimum Diagonal Span at the destination end (hosts = ports = endpoints) | Scans / Probes |
| Short TCP Rst_Ack Grid Scan | Short TCP Rst_Ack flows,from single/multiple source hosts to multiple destination hosts on multiple destination ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the destination end | Scans / Probes |
| Short TCP Rst_Ack Port Scan(Reverse) |
1. Short TCP Rst_Ack flows, from single source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span at the source end.
2. Short TCP Rst_Ack flows, from fewer source hosts to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the source end. |
Scans / Probes |
| Short TCP Rst_Ack Host Scan(Reverse) |
1. Short TCP Rst_Ack flows, from multiple source hosts to single/multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end.
2. Short TCP Rst_Ack flows, from multiple source hosts to single/multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the source end. |
Scans / Probes |
| Short TCP Rst_Ack Diagonal Scan(Reverse) | Short TCP Rst_Ack flows, from multiple source hosts to single/multiple destination hosts where the number of distinct source hosts is equal to the number of distinct source ports which is also equal to the number of source end points exceeding Minimum Diagonal Span at the source end (hosts = ports = endpoints). | Scans / Probes |
| Short TCP Rst_Ack Grid Scan(Reverse) | Short TCP Rst_Ack flows, from multiple source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the source end. | Scans / Probes |
| Excess Short TCP Syn_Ack Packets | TCP Flows with nominal payload ie., BytePerPacket between 40 and 44 octets (bytes) and TCP Flags value equals 18/SA touching or exceeding the Upper Limit and none of the following derived problems gets satisfied | DoS / Flash Crowd |
| Short TCP Syn_Ack Inflood |
1.Short TCP Syn_Ack flows from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end.
2.Short TCP Syn_Ack flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the destination end. |
DoS / Flash Crowd |
| Short TCP Syn_Ack Outflood |
1. Short TCP Syn_Ack flows from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end.
2. Short TCP Syn_Ack flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the source end. |
DoS / Flash Crowd |
| Short TCP Syn_Ack Port Scan |
1. Short TCP Syn_Ack flows from single/multiple source hosts to single destination host on multiple destination ports exceeding Minimum Vertical Span at the destination end.
2. Short TCP Syn_Ack flows from single/multiple source hosts to fewer destination hosts on multiple destination ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end. |
Scans / Probes |
| Short TCP Syn_Ack Host Scan |
1. Short TCP Syn_Ack flows from single/multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end.
2. Short TCP Syn_Ack flows from single/multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end. |
Scans / Probes |
| Short TCP Syn_Ack Diagonal Scan | Short TCP Syn_Ack flows from single/multiple source hosts to multiple destination hosts where the number of distinct destination hosts is equal to the number of distinct destination ports which is also equal to the number of destination end points exceeding Minimum Diagonal Span at the destination end (hosts = ports = endpoints) | Scans / Probes |
| Short TCP Syn_Ack Grid Scan | Short TCP Syn_Ack flowsfrom single/multiple source hosts to multiple destination hosts on multiple destination ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the destination end | Scans / Probes |
| Short TCP Syn_Ack Port Scan(Reverse) |
1. Short TCP Syn_Ack flows from single source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span at the source end.
2. Short TCP Syn_Ack flows from fewer source hosts to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the source end. |
Scans / Probes |
| Short TCP Syn_Ack Host Scan(Reverse) |
1. Short TCP Syn_Ack flows from multiple source hosts to single/multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end.
2. Short TCP Syn_Ack flows from multiple source hosts to single/multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the source end. |
Scans / Probes |
| Short TCP Syn_Ack Diagonal Scan(Reverse) | Short TCP Syn_Ack flows from multiple source hosts to single/multiple destination hosts where the number of distinct source hosts is equal to the number of distinct source ports which is also equal to the number of source end points exceeding Minimum Diagonal Span at the source end (hosts = ports = endpoints). | Scans / Probes |
| Short TCP Syn_Ack Grid Scan(Reverse) | Short TCP Syn_Ack flows from multiple source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the source end. | Scans / Probes |
| Excess Short TCP Syn_Rst Packets | TCP Flows with nominal payload ie., BytePerPacket between 40 and 44 octets (bytes) and TCP Flags value equals 6/RS, denoting TCP Syn_Rst Flows, but without Urg/Ack/Psh Flags, touching or exceeding the Upper Limit and none of the following derived problems gets satisfied | Suspect Flows |
| Short TCP Syn_Rst Attack | Short TCP Syn_Rst flows from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end. | DoS / Flash Crowd |
| Short TCP Syn_Rst Inflood | Short TCP Syn_Rst flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the destination end. | DoS / Flash Crowd |
| Short TCP Syn_Rst Outflood |
1. Short TCP Syn_Rst flows from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end.
2. Short TCP Syn_Rst flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the source end. |
DoS / Flash Crowd |
| Short TCP Syn_Rst Port Scan |
1. Short TCP Syn_Rst flows from single/multiple source hosts to single destination host on multiple destination ports exceeding Minimum Vertical Span at the destination end.
2. Short TCP Syn_Rst flows from single/multiple source hosts to fewer destination hosts on multiple destination ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end. |
Scans / Probes |
| Short TCP Syn_Rst Host Scan |
1. Short TCP Syn_Rst flows from single/multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end.
2. Short TCP Syn_Rst flows from single/multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end. |
Scans / Probes |
| Short TCP Syn_Rst Diagonal Scan | Short TCP Syn_Rst flows from single/multiple source hosts to multiple destination hosts where the number of distinct destination hosts is equal to the number of distinct destination ports which is also equal to the number of destination end points exceeding Minimum Diagonal Span at the destination end (hosts = ports = endpoints) | Scans / Probes |
| Short TCP Syn_Rst Grid Scan | Short TCP Syn_Rst flowsfrom single/multiple source hosts to multiple destination hosts on multiple destination ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the destination end | Scans / Probes |
| Short TCP Syn_Rst Port Scan(Reverse) |
1. Short TCP Syn_Rst flows from single source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span at the source end.
2. Short TCP Syn_Rst flows from fewer source hosts to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the source end. |
Scans / Probes |
| Short TCP Syn_Rst Host Scan(Reverse) |
1. Short TCP Syn_Rst flows from multiple source hosts to single/multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end.
2. Short TCP Syn_Rst flowsFlows from multiple source hosts to single/multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the source end. |
Scans / Probes |
| Short TCP Syn_Rst Diagonal Scan(Reverse) | Short TCP Syn_Rst flows from multiple source hosts to single/multiple destination hosts where the number of distinct source hosts is equal to the number of distinct source ports which is also equal to the number of source end points exceeding Minimum Diagonal Span at the source end (hosts = ports = endpoints). | Scans / Probes |
| Short TCP Syn_Rst Grid Scan(Reverse) | Short TCP Syn_Rst flows from multiple source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the source end. | Scans / Probes |
| TCP Fin Violations | TCP Flows with TCP Flags value IN (1/F, 5/RF) touching or exceeding the Upper Limit and none of the following derived problems gets satisfied | Suspect Flows |
| TCP Fin Attack | TCP Fin flows from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end . | DoS / Flash Crowd |
| TCP Fin Inflood | TCP Fin flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the destination end. | DoS / Flash Crowd |
| TCP Fin Outflood |
1. TCP Fin flows from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end.
2. TCP Fin flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the source end. |
DoS / Flash Crowd |
| TCP Fin Port Scan |
1. TCP Fin flows from single/multiple source hosts to single destination host on multiple destination ports exceeding Minimum Vertical Span at the destination end.
2. TCP Fin flows from single/multiple source hosts to fewer destination hosts on multiple destination ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end. |
Scans / Probes |
| TCP Fin Host Scan |
1. TCP Fin flows from single/multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end.
2. TCP Fin flows from single/multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end. |
Scans / Probes |
| TCP Fin Diagonal Scan | TCP Fin flows from single/multiple source hosts to multiple destination hosts where the number of distinct destination hosts is equal to the number of distinct destination ports which is also equal to the number of destination end points exceeding Minimum Diagonal Span at the destination end (hosts = ports = endpoints) | Scans / Probes |
| TCP Fin Grid Scan | TCP Fin flowsfrom single/multiple source hosts to multiple destination hosts on multiple destination ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the destination end | Scans / Probes |
| TCP Fin Port Scan(Reverse) |
1. TCP Fin flows from single source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span at the source end.
2. TCP Fin flows from fewer source hosts to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the source end. |
Scans / Probes |
| TCP Fin Host Scan(Reverse) |
1. TCP Fin flows from multiple source hosts to single/multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end.
2. TCP Fin flows from multiple source hosts to single/multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the source end. |
Scans / Probes |
| TCP Fin Diagonal Scan(Reverse) | TCP Fin flows from multiple source hosts to single/multiple destination hosts where the number of distinct source hosts is equal to the number of distinct source ports which is also equal to the number of source end points exceeding Minimum Diagonal Span at the source end (hosts = ports = endpoints). | Scans / Probes |
| TCP Fin Grid Scan(Reverse) | TCP Fin flows from multiple source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the source end. | Scans / Probes |
| TCP Null Violations | TCP Flows with TCP Flags value equals 0/Null touching or exceeding the Upper Limit and none of the following derived problems gets satisfied | Suspect Flows |
| TCP Null Attack | TCP Null flows from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end . | DoS / Flash Crowd |
| TCP Null Inflood | TCP Null flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the destination end. | DoS / Flash Crowd |
| TCP Null Outflood |
1. TCP Null flows from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end.
2. TCP Null flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the source end. |
DoS / Flash Crowd |
| TCP Null Port Scan |
1. TCP Null flows from single/multiple source hosts to single destination host on multiple destination ports exceeding Minimum Vertical Span at the destination end.
2. TCP Null flows from single/multiple source hosts to fewer destination hosts on multiple destination ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end. |
Scans / Probes |
| TCP Null Host Scan |
1. TCP Null flows from single/multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end.
2. TCP Null flows from single/multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end. |
Scans / Probes |
| TCP Null Diagonal Scan | TCP Null flows from single/multiple source hosts to multiple destination hosts where the number of distinct destination hosts is equal to the number of distinct destination ports which is also equal to the number of destination end points exceeding Minimum Diagonal Span at the destination end (hosts = ports = endpoints) | Scans / Probes |
| TCP Null Grid Scan | TCP Null flowsfrom single/multiple source hosts to multiple destination hosts on multiple destination ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the destination end | Scans / Probes |
| TCP Null Port Scan(Reverse) |
1. TCP Null flows from single source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span at the source end.
2. TCP Null flows from fewer source hosts to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the source end. |
Scans / Probes |
| TCP Null Host Scan(Reverse) |
1. TCP Null flows from multiple source hosts to single/multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end.
2. TCP Null flows from multiple source hosts to single/multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the source end. |
Scans / Probes |
| TCP Null Diagonal Scan(Reverse) | TCP Null flows from multiple source hosts to single/multiple destination hosts where the number of distinct source hosts is equal to the number of distinct source ports which is also equal to the number of source end points exceeding Minimum Diagonal Span at the source end (hosts = ports = endpoints). | Scans / Probes |
| TCP Null Grid Scan(Reverse) | TCP Null flows from multiple source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the source end. | Scans / Probes |
| TCP Rst Violations | TCP Flows with TCP Flags value equals 4/R touching or exceeding the Upper Limit and none of the following derived problems gets satisfied | Suspect Flows |
| TCP Rst Attack | TCP Rst Flows from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end . | DoS / Flash Crowd |
| TCP Rst Inflood | TCP Rst Flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the destination end. | DoS / Flash Crowd |
| TCP Rst Outflood |
1. TCP Rst Flows from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end.
2. TCP Rst Flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the source end. |
DoS / Flash Crowd |
| TCP Rst Port Scan |
1. TCP Rst Flows from single/multiple source hosts to single destination host on multiple destination ports exceeding Minimum Vertical Span at the destination end.
2. TCP Rst Flows from single/multiple source hosts to fewer destination hosts on multiple destination ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end. |
Scans / Probes |
| TCP Rst Host Scan |
1. TCP Rst Flows single/multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end.
2. TCP Rst Flows from single/multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end. |
Scans / Probes |
| TCP Rst Diagonal Scan | TCP Rst Flows from single/multiple source hosts to multiple destination hosts where the number of distinct destination hosts is equal to the number of distinct destination ports which is also equal to the number of destination end points exceeding Minimum Diagonal Span at the destination end (hosts = ports = endpoints) | Scans / Probes |
| TCP Rst Grid Scan | TCP Rst Flowsfrom single/multiple source hosts to multiple destination hosts on multiple destination ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the destination end | Scans / Probes |
| TCP Rst Port Scan(Reverse) |
1. TCP Rst Flows from single source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span at the source end.
2. TCP Rst Flows from fewer source hosts to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the source end. |
Scans / Probes |
| TCP Rst Host Scan(Reverse) |
1. TCP Rst Flows from multiple source hosts to single/multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end.
2. TCP Rst Flows from multiple source hosts to single/multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the source end. |
Scans / Probes |
| TCP Rst Diagonal Scan(Reverse) | TCP Rst Flows from multiple source hosts to single/multiple destination hosts where the number of distinct source hosts is equal to the number of distinct source ports which is also equal to the number of source end points exceeding Minimum Diagonal Span at the source end (hosts = ports = endpoints). | Scans / Probes |
| TCP Rst Grid Scan(Reverse) | TCP Rst Flows from multiple source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the source end. | Scans / Probes |
| TCP Syn_Fin Violations | TCP Flows with TCP Flags value IN (3/SF, 7/RSF), denoting TCP Syn_Fin –or– Syn_Rst_Fin Flows, but without Urg/Ack/Psh Flags touching or exceeding the Upper Limit and none of the following derived problems gets satisfied | Suspect Flows |
| TCP Syn_Fin Attack | TCP Syn_Fin Flows from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end . | DoS / Flash Crowd |
| TCP Syn_Fin Inflood | TCP Syn_Fin Flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the destination end. | DoS / Flash Crowd |
| TCP Syn_Fin Outflood |
1.TCP Syn_Fin Flows from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end.
2. TCP Syn_Fin Flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the source end. |
DoS / Flash Crowd |
| TCP Syn_Fin Port Scan |
1.TCP Syn_Fin Flows from single/multiple source hosts to single destination host on multiple destination ports exceeding Minimum Vertical Span at the destination end.
2. TCP Syn_Fin Flows from single/multiple source hosts to fewer destination hosts on multiple destination ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end. |
Scans / Probes |
| TCP Syn_Fin Host Scan |
1. TCP Syn_Fin Flows from single/multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end.
2. TCP Syn_Fin Flows from single/multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end. |
Scans / Probes |
| TCP Syn_Fin Diagonal Scan | TCP Syn_Fin Flows from single/multiple source hosts to multiple destination hosts where the number of distinct destination hosts is equal to the number of distinct destination ports which is also equal to the number of destination end points exceeding Minimum Diagonal Span at the destination end (hosts = ports = endpoints) | Scans / Probes |
| TCP Syn_Fin Grid Scan | TCP Syn_Fin Flowsfrom single/multiple source hosts to multiple destination hosts on multiple destination ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the destination end | Scans / Probes |
| TCP Syn_Fin Port Scan(Reverse) |
1. TCP Syn_Fin Flows from single source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span at the source end.
2. TCP Syn_Fin Flows from fewer source hosts to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the source end. |
Scans / Probes |
| TCP Syn_Fin Host Scan(Reverse) |
1. TCP Syn_Fin Flows from multiple source hosts to single/multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end.
2. TCP Syn_Fin Flows. from multiple source hosts to single/multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the source end. |
Scans / Probes |
| TCP Syn_Fin Diagonal Scan(Reverse) | TCP Syn_Fin Flows from multiple source hosts to single/multiple destination hosts where the number of distinct source hosts is equal to the number of distinct source ports which is also equal to the number of source end points exceeding Minimum Diagonal Span at the source end (hosts = ports = endpoints). | Scans / Probes |
| TCP Syn_Fin Grid Scan(Reverse) | TCP Syn_Fin Flows. from multiple source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the source end. | Scans / Probes |
| TCP Urg Violations | TCP Flows with TCP Flags value IN (32-40, 42-63), denoting all combinations of Urg Flag except the XMAS combination touching or exceeding the Upper Limit and none of the following derived problems gets satisfied | Suspect Flows |
| TCP Urg Attack | TCP Urg Flows from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end . | DoS / Flash Crowd |
| TCP Urg Inflood | TCP Urg Flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the destination end. | DoS / Flash Crowd |
| TCP Urg Outflood |
1. TCP Urg Flows from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end.
2. TCP Urg Flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the source end. |
DoS / Flash Crowd |
| TCP Urg Port Scan |
1. TCP Urg Flows from single/multiple source hosts to single destination host on multiple destination ports exceeding Minimum Vertical Span at the destination end.
2. TCP Urg Flows from single/multiple source hosts to fewer destination hosts on multiple destination ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end. |
Scans / Probes |
| TCP Urg Host Scan |
1. TCP Urg Flows from single/multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end.
2. TCP Urg Flows from single/multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end. |
Scans / Probes |
| TCP Urg Diagonal Scan | TCP Urg Flows from single/multiple source hosts to multiple destination hosts where the number of distinct destination hosts is equal to the number of distinct destination ports which is also equal to the number of destination end points exceeding Minimum Diagonal Span at the destination end (hosts = ports = endpoints) | Scans / Probes |
| TCP Urg Grid Scan | TCP Urg Flowsfrom single/multiple source hosts to multiple destination hosts on multiple destination ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the destination end | Scans / Probes |
| TCP Urg Port Scan(Reverse) |
1. TCP Urg Flows from single source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span at the source end.
2.TCP Urg Flows from fewer source hosts to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the source end. |
Scans / Probes |
| TCP Urg Host Scan(Reverse) |
1. TCP Urg Flows from multiple source hosts to single/multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end.
2. TCP Urg Flows from multiple source hosts to single/multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the source end. |
Scans / Probes |
| TCP Urg Diagonal Scan(Reverse) | TCP Urg Flows from multiple source hosts to single/multiple destination hosts where the number of distinct source hosts is equal to the number of distinct source ports which is also equal to the number of source end points exceeding Minimum Diagonal Span at the source end (hosts = ports = endpoints). | Scans / Probes |
| TCP Urg Grid Scan(Reverse) | TCP Urg Flows from multiple source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the source end. | Scans / Probes |
| TCP Xmas Violations | TCP Flows with TCP Flags value equals 41/UPF touching or exceeding the Upper Limit and none of the following derived problems gets satisfied | Suspect Flows |
| TCP Xmas Inflood |
1.TCP Xmas flows from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end.
2.TCP Xmas flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the destination end. |
DoS / Flash Crowd |
| TCP Xmas Outflood |
1. TCP Xmas Flows from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end.
2. TCP Xmas Flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the source end. |
DoS / Flash Crowd |
| TCP Xmas Port Scan |
1. TCP Xmas Flows from single/multiple source hosts to single destination host on multiple destination ports exceeding Minimum Vertical Span at the destination end.
2. TCP Xmas Flows from single/multiple source hosts to fewer destination hosts on multiple destination ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end. |
Scans / Probes |
| TCP Xmas Host Scan |
1. TCP Xmas Flows from single/multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end. 2.TCP Xmas Flows from single/multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end. |
Scans / Probes |
| TCP Xmas Diagonal Scan | TCP Xmas Flows from single/multiple source hosts to multiple destination hosts where the number of distinct destination hosts is equal to the number of distinct destination ports which is also equal to the number of destination end points exceeding Minimum Diagonal Span at the destination end (hosts = ports = endpoints) | Scans / Probes |
| TCP Xmas Grid Scan | TCP Xmas Flowsfrom single/multiple source hosts to multiple destination hosts on multiple destination ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the destination end | Scans / Probes |
| TCP Xmas Port Scan(Reverse) |
1. TCP Xmas Flows from single source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span at the source end.
2. TCP Xmas Flows from fewer source hosts to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the source end. |
Scans / Probes |
| TCP Xmas Host Scan(Reverse) |
1. TCP Xmas Flows from multiple source hosts to single/multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end. 2. TCP Xmas Flows from multiple source hosts to single/multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the source end. |
Scans / Probes |
| TCP Xmas Diagonal Scan(Reverse) | TCP Xmas Flows from multiple source hosts to single/multiple destination hosts where the number of distinct source hosts is equal to the number of distinct source ports which is also equal to the number of source end points exceeding Minimum Diagonal Span at the source end (hosts = ports = endpoints). | Scans / Probes |
| TCP Xmas Grid Scan(Reverse) | TCP Xmas Flows from multiple source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the source end. | Scans / Probes |
| Malformed TCP Packets | TCP Flows with BytePerPacket less than the minimum 40 octets (bytes) touching or exceeding the Upper Limit and none of the following derived problems gets satisfied | Suspect Flows |
| Malformed TCP Attack | Malformed TCP flows from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end . | DoS / Flash Crowd |
| Malformed TCP Inflood | Malformed TCP flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the destination end. | DoS / Flash Crowd |
| Malformed TCP Outflood |
1. Malformed TCP flows from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end.
2. Malformed TCP flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the source end. |
DoS / Flash Crowd |
| Malformed TCP Port Scan |
1. Malformed TCP flows from single/multiple source hosts to single destination host on multiple destination ports exceeding Minimum Vertical Span at the destination end.
2. Malformed TCP flows from single/multiple source hosts to fewer destination hosts on multiple destination ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end. |
Scans / Probes |
| Malformed TCP Host Scan |
1. Malformed TCP flows from single/multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end.
2. Malformed TCP flows from single/multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end. |
Scans / Probes |
| Malformed TCP Diagonal Scan | Malformed TCP flows from single/multiple source hosts to multiple destination hosts where the number of distinct destination hosts is equal to the number of distinct destination ports which is also equal to the number of destination end points exceeding Minimum Diagonal Span at the destination end (hosts = ports = endpoints) | Scans / Probes |
| Malformed TCP Grid Scan | Malformed TCP flows from single/multiple source hosts to multiple destination hosts on multiple destination ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the destination end | Scans / Probes |
| Malformed TCP Port Scan(Reverse) |
1. Malformed TCP flows from single source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span at the source end.
2. Malformed TCP flows from fewer source hosts to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the source end. |
Scans / Probes |
| Malformed TCP Host Scan(Reverse) |
1. Malformed TCP flows from multiple source hosts to single/multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end.
2. Malformed TCP flows from multiple source hosts to single/multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the source end. |
Scans / Probes |
| Malformed TCP Diagonal Scan(Reverse) | Malformed TCP flows from multiple source hosts to single/multiple destination hosts where the number of distinct source hosts is equal to the number of distinct source ports which is also equal to the number of source end points exceeding Minimum Diagonal Span at the source end (hosts = ports = endpoints). | Scans / Probes |
| Malformed TCP Grid Scan(Reverse) | Malformed TCP flows from multiple source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the source end. | Scans / Probes |
| ICMP Request Broadcasts | ICMP Request Flows with Dst Port value IN (2048/Echo Request, 3328/Timestamp Request, 3840/Information Request, 4352/Address Mask Request) sent to a Broadcast/Multicast IP touching or exceeding the Upper Limit and none of the following derived problems gets satisfied. Indicates possible amplification attack on the Src IP. | DoS / Flash Crowd |
| ICMP Request Broadcast Attack | ICMP Request Broadcast flows from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end . | DoS / Flash Crowd |
| ICMP Request Broadcast Inflood | ICMP Request Broadcast flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the destination end. | DoS / Flash Crowd |
| ICMP Request Broadcast Outflood |
1. ICMP Request Broadcast flows from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end.
2. ICMP Request Broadcast flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the source end. |
DoS / Flash Crowd |
| ICMP Request Broadcast Host Scan |
1.ICMP Request Broadcast flows from single/multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end.
2.ICMP Request Broadcast flows from single/multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end. |
Scans / Probes |
| ICMP Request Broadcast Host Scan(Reverse) |
1.ICMP Request Broadcast flows from multiple source hosts to single/multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end.
2. ICMP Request Broadcast flows from multiple source hosts to single/multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the source end. |
Scans / Probes |
| Excess ICMP Requests | ICMP Requests with Dst Port value IN (2048/Echo Request, 3328/Timestamp Request, 3840/Information Request, 4352/Address Mask Request) touching or exceeding the Upper Limit and none of the following derived problems gets satisfied | Suspect Flows |
| ICMP Request Inflood |
1.ICMP Requests Flows from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end.
2. ICMP Requests Flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the destination end. |
DoS / Flash Crowd |
| ICMP Request Outflood |
1. ICMP Requests from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end.
2. ICMP Requests from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the source end. |
DoS / Flash Crowd |
| ICMP Request Host Scan |
1. ICMP Requests from single/multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end.
2. ICMP Requests from single/multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end. |
Scans / Probes |
| ICMP Request Host Scan(Reverse) |
1.ICMP Requests from multiple source hosts to single/multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end.
2.ICMP Requests from multiple source hosts to single/multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the source end. |
Scans / Probes |
| Excess ICMP Responses | ICMP Response Flows with Dst Port value IN (0/Echo Reply, 3584/Timestamp Reply, 4096/Information Reply, 4608/Address Mask Reply) touching or exceeding the Upper Limit and none of the following derived problems gets satisfied | Suspect Flows |
| ICMP Response Inflood |
1.ICMP Responses from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end.
2. ICMP Responses from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the destination end. |
DoS / Flash Crowd |
| ICMP Response Outflood |
1. ICMP Responses from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end.
2. ICMP Responses from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the source end. |
DoS / Flash Crowd |
| ICMP Response Host Scan |
1.ICMP Responses from single/multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end.
2. ICMP Responses from single/multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end. |
Scans / Probes |
| ICMP Response Host Scan(Reverse) |
1.ICMP Responses from multiple source hosts to single/multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end.
2.ICMP Responses from multiple source hosts to single/multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the source end. |
Scans / Probes |
| ICMP Host Unreachables | ICMP Host Unreachable Flows with Dst Port value IN (769/Host Unreachable, 773/Source Route Failed, 775/Host Unknown, 776/Source Host Isolated (obsolete), 778/Host Administratively Prohibited, 780/Host Unreachable for TOS, 781/Communication administratively prohibited by filtering) touching or exceeding the Upper Limit and none of the following derived problems gets satisfied | Suspect Flows |
|
|
1.ICMP Host Unreachable flows from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end.
2.ICMP Host Unreachable flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the destination end. |
DoS / Flash Crowd |
| ICMP Host Unreachable Outflood |
1. ICMP Host Unreachable flows from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end.
2. ICMP Host Unreachable flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the source end. |
DoS / Flash Crowd |
| ICMP Host Unreachable Host Scan |
1. ICMP Host Unreachable flows from single/multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end.
2. ICMP Host Unreachable flows from single/multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end. |
Scans / Probes |
| ICMP Host Unreachable Host Scan(Reverse) |
1. ICMP Host Unreachable flows from multiple source hosts to single/multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end.
2. ICMP Host Unreachable flows from multiple source hosts to single/multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the source end. |
Scans / Probes |
| ICMP Network Unreachables | ICMP Network Unreachable Flows with Dst Port value IN (768/Network Unreachable, 774/Network Unknown, 777/Network Administratively Prohibited, 779/Network Unreachable for TOS) touching or exceeding the Upper Limit and none of the following derived problems gets satisfied | Suspect Flows |
| ICMP Network Unreachable Inflood |
1.ICMP Network Unreachable flows from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end.
2.ICMP Network Unreachable flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the destination end.
|
DoS / Flash Crowd |
| ICMP Network Unreachable Outflood |
1. ICMP Network Unreachable flows from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end.
2. ICMP Network Unreachable flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the source end. |
DoS / Flash Crowd |
| ICMP Network Unreachable Host Scan |
1. ICMP Network Unreachable flows from single/multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end.
2. ICMP Network Unreachable flows from single/multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end. |
Scans / Probes |
| ICMP Network Unreachable Host Scan(Reverse) |
1. ICMP Network Unreachable flows from multiple source hosts to single/multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end.
2. ICMP Network Unreachable flows from multiple source hosts to single/multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the source end. |
Scans / Probes |
| Bad Src-Dst | ||
| ICMP Parameter Problem Flows | ICMP Parameter Problem Flows with Dst Port IN (3072/IP Header Bad, 3073/Required Option Missing, 3074/Bad Length) touching or exceeding the Upper Limit and none of the following derived problems gets satisfied. Generally indicates some local or remote implementation error ie., invalid datagrams. | Suspect Flows |
| ICMP Parameter Problem Inflood |
1.ICMP Parameter Problem flows from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end.
2.ICMP Parameter Problem flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the destination end. |
DoS / Flash Crowd |
| ICMP Parameter Problem Outflood |
1. ICMP Parameter Problem flows from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end.
2. ICMP Parameter Problem Flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the source end.
|
DoS / Flash Crowd |
| ICMP Parameter Problem Host Scan |
1. ICMP Parameter Problem flows from single/multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end.
2. ICMP Parameter Problem flows from single/multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end. |
Scans / Probes |
| ICMP Parameter Problem Host Scan(Reverse) |
1. ICMP Parameter Problem Flows from multiple source hosts to single/multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end.
2. ICMP Parameter Problem flows from multiple source hosts to single/multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the source end. |
Scans / Probes |
| ICMP Port Unreachables | ICMP Port Unreachable Flows with Dst Port value equals 771/Port Unreachable touching or exceeding the Upper Limit and none of the following derived problems gets satisfied | Suspect Flows |
| ICMP Port Unreachable Inflood |
1.ICMP Port Unreachable flows from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end.
2.ICMP Port Unreachable flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the destination end. |
DoS / Flash Crowd |
|
|
1. ICMP Port Unreachable flows from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end.
2. ICMP Port Unreachable flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the source end.
|
DoS / Flash Crowd |
| ICMP Port Unreachable Host Scan |
1. ICMP Port Unreachable flows from single/multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end.
2. ICMP Port Unreachable flows from single/multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end. |
Scans / Probes |
| ICMP Port Unreachable Host Scan(Reverse) |
1. ICMP Port Unreachable flows from multiple source hosts to single/multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end.
2. ICMP Port Unreachable flows from multiple source hosts to single/multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the source end. |
Scans / Probes |
| ICMP Protocol Unreachables | ICMP Protocol Unreachable Flows with Dst Port value equals (770/Protocol Unreachable) touching or exceeding the Upper Limit and none of the following derived problems gets satisfied . Can be used to perform a denial of service on active TCP sessions, causing the TCP connection to be dropped. | DoS / Flash Crowd |
| ICMP Protocol Unreachable Inflood |
1.ICMP Protocol Unreachable flows from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end.
2.ICMP Protocol Unreachable flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the destination end. |
DoS / Flash Crowd |
| ICMP Protocol Unreachable Outflood |
1. ICMP Protocol Unreachable flows from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end.
2.ICMP Protocol Unreachable flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the source end.
|
DoS / Flash Crowd |
| ICMP Protocol Unreachable Host Scan |
1. ICMP Protocol Unreachable flows from single/multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end.
2. ICMP Protocol Unreachable flows from single/multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end. |
Scans / Probes |
| ICMP Protocol Unreachable Host Scan(Reverse) |
1. ICMP Protocol Unreachable flows from multiple source hosts to single/multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end.
2. ICMP Protocol Unreachable flows from multiple source hosts to single/multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the source end. |
Scans / Probes |
| ICMP Redirects | ICMP Redirect Flows with Dst Port value IN (1280/Redirect for Network, 1281/Redirect for Host, 1282/Redirect for ToS and Network, 1283/Redirect for ToS and Host) touching or exceeding the Upper Limit and none of the following derived problems gets satisfied | Suspect Flows |
| ICMP Redirect Inflood |
1.ICMP Redirect flows from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end.
2.ICMP Redirect flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the destination end. |
DoS / Flash Crowd |
| ICMP Redirect Outflood |
1. ICMP Redirect flows from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end.
2. ICMP Redirect flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the source end. |
DoS / Flash Crowd |
| ICMP Redirect Host Scan |
1. ICMP Redirect flows from single/multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end.
2. ICMP Redirect flows from single/multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end. |
Scans / Probes |
| ICMP Redirect Host Scan(Reverse) |
1. ICMP Redirect flows from multiple source hosts to single/multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end.
2. ICMP Redirect flows from multiple source hosts to single/multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the source end. |
Scans / Probes |
| ICMP Source Quench Flows | ICMP Source Quench Flows with Dst Port value equals (1024/Source Quench) touching or exceeding the Upper Limit and none of the following derived problems gets satisfied. Out dated. But can be used to attempt a denial of service by limiting the bandwidth of a router or host. | DoS / Flash Crowd |
| ICMP Source Quench Inflood |
1.ICMP Source Quench flows from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end.
2.ICMP Source Quench flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the destination end. |
DoS / Flash Crowd |
| ICMP Source Quench Outflood |
1. ICMP Source Quench flows from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end.
2. ICMP Source Quench flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the source end. |
DoS / Flash Crowd |
| ICMP Source Quench Host Scan |
1. ICMP Source Quench flows from single/multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end.
2.ICMP Source Quench flows from single/multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end. |
Scans / Probes |
| ICMP Source Quench Host Scan(Reverse) |
1. ICMP Source Quench flows from multiple source hosts to single/multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end.
2. ICMP Source Quench flows from multiple source hosts to single/multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the source end. |
Scans / Probes |
| ICMP Time Exceeded Flows | ICMP Time Exceeded Flows with Dst Port IN (2816/Time-to-live equals 0 During Transit, 2817/Time-to-live equals 0 During Reassembly) touching or exceeding the Upper Limit and none of the following derived problems gets satisfied . Indicates Traceroute attempt or datagram fragment reassembly failure | Suspect Flows |
| ICMP Time Exceeded Inflood |
1.ICMP Time Exceeded flows from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end.
2.ICMP Time Exceeded flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the destination end. |
DoS / Flash Crowd |
| ICMP Time Exceeded Outflood |
1. ICMP Time Exceeded flows from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end.
2. ICMP Time Exceeded Flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the source end. |
DoS / Flash Crowd |
| ICMP Time Exceeded Host Scan |
1. ICMP Time Exceeded flows from single/multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end.
2. ICMP Time Exceeded flows from single/multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end. |
Scans / Probes |
| ICMP Time Exceeded Host Scan(Reverse) |
1. ICMP Time Exceeded flows from multiple source hosts to single/multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end.
2. ICMP Time Exceeded flows from multiple source hosts to single/multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the source end. |
Scans / Probes |
| ICMP Trace Route Flows | ICMP Traceroute Flows with Dst Port equals 7680/Trace Route touching or exceeding the Upper Limit and none of the following derived problems gets satisfied. Indicates traceroute attempt. | Suspect Flows |
| ICMP Trace Route Inflood |
1.ICMP Trace Route flows from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end.
2.ICMP Trace Route flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the destination end. |
DoS / Flash Crowd |
| ICMP Trace Route Outflood |
1. ICMP Trace Route flows from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end.
2. ICMP Trace Route flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the source end. |
DoS / Flash Crowd |
| ICMP Trace Route Host Scan |
1. ICMP Trace Route flows from single/multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end.
2. ICMP Trace Route flows from single/multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end. |
Scans / Probes |
| ICMP Trace Route Host Scan(Reverse) |
1. ICMP Trace Route flows from multiple source hosts to single/multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end.
2. ICMP Trace Route flows from multiple source hosts to single/multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the source end. |
Scans / Probes |
| ICMP Unreachables for ToS | ICMP ToS Unreachable Flows with Dst Port value IN (779/Network Unreachable for TOS, 780/Host Unreachable for TOS) touching or exceeding the Upper Limit and none of the following derived problems gets satisfied | Suspect Flows |
| ICMP ToS Unreachable Inflood |
1.ICMP ToS Unreachable flows from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end.
2.ICMP ToS Unreachable flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the destination end. |
DoS / Flash Crowd |
|
|
1. ICMP ToS Unreachable flows from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end.
2. ICMP ToS Unreachable flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the source end.
|
DoS / Flash Crowd |
| ICMP ToS Unreachable Host Scan |
1. ICMP ToS Unreachable flows from single/multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end.
2. ICMP ToS Unreachable flows from single/multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end. |
Scans / Probes |
| ICMP ToS Unreachable Host Scan(Reverse) |
1. ICMP ToS Unreachable flows from multiple source hosts to single/multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end.
2. ICMP ToS Unreachable flows from multiple source hosts to single/multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the source end. |
Scans / Probes |
| Malformed ICMP Packets | ICMP Flows with BytePerPacket less than the minimum 28 octets (bytes) touching or exceeding the Upper Limit and none of the following derived problems gets satisfied | Suspect Flows |
| Malformed ICMP Inflood |
1.Malformed ICMP flows from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end.
2.Malformed ICMP flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the destination end. |
DoS / Flash Crowd |
| Malformed ICMP Outflood |
1. Malformed ICMP flows from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end.
2. Malformed ICMP flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the source end. |
DoS / Flash Crowd |
| Malformed ICMP Host Scan |
1. Malformed ICMP flows from single/multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end.
2. Malformed ICMP flows from single/multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end. |
Scans / Probes |
| Malformed ICMP Host Scan(Reverse) |
1. Malformed ICMP flows from multiple source hosts to single/multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end.
2. Malformed ICMP flows from multiple source hosts to single/multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the source end. |
Scans / Probes |
| ICMP Datagram Conversion Error Flows | ICMP Datagram Conversion Error Flows with Dst Port value equals 7936/Datagram Conversion Error ie., for valid datagrams touching or exceeding the Upper Limit and none of the following derived problems gets satisfied . | Suspect Flows |
|
1.ICMP Datagram Conversion Error flows from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end.
2.ICMP Datagram Conversion Error flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the destination end. |
DoS / Flash Crowd | |
|
|
1. ICMP Datagram Conversion Error flows from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end.
2. ICMP Datagram Conversion Error flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the source end. |
DoS / Flash Crowd |
| ICMP Datagram Conversion Error Host Scan |
1. ICMP Datagram Conversion Error flows from single/multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end.
2. ICMP Datagram Conversion Error flows from single/multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end. |
Scans / Probes |
| ICMP Datagram Conversion Error Host Scan(Reverse) |
1. ICMP Datagram Conversion Error flows from multiple source hosts to single/multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end.
2. ICMP Datagram Conversion Error flows from multiple source hosts to single/multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the source end. |
Scans / Probes |
| Excess UDP Echo Responses | UDP Echo Response from Src Port 7 (Echo) touching or exceeding the Upper Limit and none of the following derived problems gets satisfied | Suspect Flows |
| UDP Echo Response Inflood |
1.UDP Echo Responses from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end.
2.UDP Echo Responses from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the destination end. |
DoS / Flash Crowd |
| UDP Echo Response Outflood |
1. UDP Echo Responses from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end.
2. UDP Echo Responses from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the source end. |
DoS / Flash Crowd |
| UDP Echo Response Port Scan |
1. UDP Echo Responses from single/multiple source hosts to single destination host on multiple destination ports exceeding Minimum Vertical Span at the destination end.
2. UDP Echo Responses from single/multiple source hosts to fewer destination hosts on multiple destination ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end. |
Scans / Probes |
| UDP Echo Response Host Scan |
1. UDP Echo Responses from single/multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end.
2. UDP Echo Responses from single/multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end. |
Scans / Probes |
| UDP Echo Response Diagonal Scan | UDP Echo Responses from single/multiple source hosts to multiple destination hosts where the number of distinct destination hosts is equal to the number of distinct destination ports which is also equal to the number of destination end points exceeding Minimum Diagonal Span at the destination end (hosts = ports = endpoints) | Scans / Probes |
| UDP Echo Response Grid Scan | UDP Echo Responses from single/multiple source hosts to multiple destination hosts on multiple destination ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the destination end | Scans / Probes |
| UDP Echo Response Host Scan(Reverse) |
1. UDP Echo Responses from multiple source hosts to single/multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end.
2. UDP Echo Responses from multiple source hosts to single/multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the source end. |
Scans / Probes |
| Excess UDP Echo Requests | UDP Echo Request to Dst Port 7 (Echo) touching or exceeding the Upper Limit and none of the following derived problems gets satisfied | Suspect Flows |
| UDP Echo Request Inflood |
1.UDP Echo Requests from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end.
2.UDP Echo Requests from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the destination end. |
DoS / Flash Crowd |
| UDP Echo Request Outflood |
1. UDP Echo requests from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end.
2. UDP Echo requests from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the source end. |
DoS / Flash Crowd |
| UDP Echo Request Host Scan |
1. UDP Echo requests from single/multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end.
2. UDP Echo requests from single/multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end. |
Scans / Probes |
| UDP Echo Request Port Scan(Reverse) |
1. UDP Echo requests from single source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span at the source end.
2. UDP Echo requests from fewer source hosts to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the source end. |
Scans / Probes |
| UDP Echo Request Host Scan(Reverse) |
1. UDP Echo requests from multiple source hosts to single/multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end. 2. UDP Echo requests from multiple source hosts to single/multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the source end. |
Scans / Probes |
| UDP Echo Request Diagonal Scan(Reverse) | UDP Echo requests from multiple source hosts to single/multiple destination hosts where the number of distinct source hosts is equal to the number of distinct source ports which is also equal to the number of source end points exceeding Minimum Diagonal Span at the source end (hosts = ports = endpoints). | Scans / Probes |
| UDP Echo Request Grid Scan(Reverse) | UDP Echo requests from multiple source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the source end. | Scans / Probes |
| UDP Echo Request Broadcasts | UDP Echo Request to Dst Port 7 (Echo) sent to a Broadcast/Multicast IP touching or exceeding the Upper Limit and none of the following derived problems gets satisfied . Indicates possible amplification attack on the Src IP. | DoS / Flash Crowd |
| UDP Echo Request Broadcast Attack | UDP Echo Request Broadcast flows from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end . | DoS / Flash Crowd |
| UDP Echo Request Broadcast Inflood |
UDP Echo Request Broadcast flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the destination end. |
DoS / Flash Crowd |
| UDP Echo Request Broadcast Outflood |
1. UDP Echo Request Broadcast flows from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end.
2. UDP Echo Request Broadcast flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the source end. |
DoS / Flash Crowd |
| UDP Echo Request Broadcast Host Scan |
1.UDP Echo Request Broadcast flows from single/multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end.
2. UDP Echo Request Broadcast flows from single/multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end. |
Scans / Probes |
| UDP Echo Request Broadcast Port Scan(Reverse) |
1. UDP Echo Request Broadcast flows from single source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span at the source end.
2. UDP Echo Request Broadcast from fewer source hosts to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the source end. |
Scans / Probes |
| UDP Echo Request Broadcast Host Scan(Reverse) |
1. UDP Echo Request Broadcast flows from multiple source hosts to single/multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end.
2. UDP Echo Request Broadcast flows from multiple source hosts to single/multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the source end. |
Scans / Probes |
| UDP Echo Request Broadcast Diagonal Scan(Reverse) | UDP Echo Request Broadcast flows from multiple source hosts to single/multiple destination hosts where the number of distinct source hosts is equal to the number of distinct source ports which is also equal to the number of source end points exceeding Minimum Diagonal Span at the source end (hosts = ports = endpoints). | Scans / Probes |
| UDP Echo Request Broadcast Grid Scan(Reverse) | UDP Echo Request Broadcast flows from multiple source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the source end. | Scans / Probes |
| UDP Chargen-Echo Broadcasts | UDP Flows, from Src Port 19/Chargen to Dst Port 7/Echo, sent to a Broadcast/Multicast IP touching or exceeding the Upper Limit and none of the following derived problems gets satisfied . Indicates possible amplification attack on the Src IP | DoS / Flash Crowd |
| UDP Chargen-Echo Broadcast Attack | UDP Chargen-Echo Broadcast flows from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end . | DoS / Flash Crowd |
| UDP Chargen-Echo Broadcast Inflood |
UDP Chargen-Echo Broadcast flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the destination end. |
DoS / Flash Crowd |
|
UDP Chargen-Echo Broadcast Outflood
|
1. UDP Chargen-Echo Broadcast flows from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end.
2. UDP Chargen-Echo Broadcast flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the source end. |
DoS / Flash Crowd |
| UDP Chargen-Echo Broadcast Host Scan |
1. UDP Chargen-Echo Broadcast flows from single/multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end.
2. UDP Chargen-Echo Broadcast flows from single/multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end. |
Scans / Probes |
| UDP Chargen-Echo Broadcast Host Scan(Reverse) |
1. UDP Chargen-Echo Broadcast flows from multiple source hosts to single/multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end.
2. UDP Chargen-Echo Broadcast flows from multiple source hosts to single/multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the source end. |
Scans / Probes |
| UDP Echo-Chargen Broadcasts | UDP Flows, from Src Port 7/Echo to Dst Port 19/Chargen, sent to a Broadcast/Multicast IP touching or exceeding the Upper Limit and none of the following derived problems gets satisfied . Indicates possible amplification attack on the Src IP. | DoS / Flash Crowd |
| UDP Echo-Chargen Broadcast Attack | UDP Echo-Chargen Broadcast flows from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end | DoS / Flash Crowd |
| UDP Echo-Chargen Broadcast Inflood |
UDP Echo-Chargen Broadcastflows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the destination end. |
DoS / Flash Crowd |
| UDP Echo-Chargen Broadcast Outflood |
1. UDP Echo-Chargen Broadcast flows from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end.
2. UDP Echo-Chargen Broadcast flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the source end. |
DoS / Flash Crowd |
| UDP Echo-Chargen Broadcast Host Scan |
1. UDP Echo-Chargen Broadcast flows from single/multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end. 2. UDP Echo-Chargen Broadcast flows from single/multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end. |
Scans / Probes |
| UDP Echo-Chargen Broadcast Host Scan(Reverse) |
1. UDP Echo-Chargen Broadcast flows from multiple source hosts to single/multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end.
2. UDP Echo-Chargen Broadcast flows from multiple source hosts to single/multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the source end. |
Scans / Probes |
| Excess Empty UDP Packets | UDP Flows without any payload ie., BytePerPacket exactly 28 octets (bytes) touching or exceeding the Upper Limit and none of the following derived problems gets satisfied | Suspect Flows |
| Empty UDP Attack | Empty UDP flows from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end | DoS / Flash Crowd |
| Empty UDP Inflood |
Empty UDP flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the destination end. |
DoS / Flash Crowd |
| Empty UDP Outflood |
1. Empty UDP flows from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end.
2. Empty UDP flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the source end. |
DoS / Flash Crowd |
| Empty UDP Port Scan |
1. Empty UDP flows from single/multiple source hosts to single destination host on multiple destination ports exceeding Minimum Vertical Span at the destination end.
2. Empty UDP flows from single/multiple source hosts to fewer destination hosts on multiple destination ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end. |
Scans / Probes |
| Empty UDP Host Scan |
1. Empty UDP flows from single/multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end.
2.Empty UDP flows from single/multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end. |
Scans / Probes |
| Empty UDP Diagonal Scan | Empty UDP flows from single/multiple source hosts to multiple destination hosts where the number of distinct destination hosts is equal to the number of distinct destination ports which is also equal to the number of destination end points exceeding Minimum Diagonal Span at the destination end (hosts = ports = endpoints) | Scans / Probes |
| Empty UDP Grid Scan | Empty UDP flowsfrom single/multiple source hosts to multiple destination hosts on multiple destination ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the destination end | Scans / Probes |
| Empty UDP Port Scan(Reverse) |
1. Empty UDP flows from single source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span at the source end.
2. Empty UDP flows Flows from fewer source hosts to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the source end. |
Scans / Probes |
| Empty UDP Host Scan(Reverse) |
1. Empty UDP flows from multiple source hosts to single/multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end.
2. Empty UDP flows from multiple source hosts to single/multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the source end. |
Scans / Probes |
| Empty UDP Diagonal Scan(Reverse) | Empty UDP flows from multiple source hosts to single/multiple destination hosts where the number of distinct source hosts is equal to the number of distinct source ports which is also equal to the number of source end points exceeding Minimum Diagonal Span at the source end (hosts = ports = endpoints) | Scans / Probes |
| Empty UDP Grid Scan(Reverse) | Empty UDP flows from multiple source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the source end. | Scans / Probes |
| Excess Short UDP Packets | UDP Flows with nominal payload ie., BytePerPacket between 29 and 32 octets (bytes), touching or exceeding the Upper Limit and none of the following derived problems gets satisfied | Suspect Flows |
| Short UDP Attack | Short UDP flows from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end . | DoS / Flash Crowd |
| Short UDP Inflood |
Short UDP flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the destination end. |
DoS / Flash Crowd |
| Short UDP Outflood |
1. Short UDP flows from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end.
2. Short UDP flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the source end. |
DoS / Flash Crowd |
| Short UDP Port Scan |
1. Short UDP flows from single/multiple source hosts to single destination host on multiple destination ports exceeding Minimum Vertical Span at the destination end.
2. Short UDP flows from single/multiple source hosts to fewer destination hosts on multiple destination ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end. |
Scans / Probes |
| Short UDP Host Scan |
1. Short UDP flows from single/multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end.
2. Short UDP flows from single/multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end. |
Scans / Probes |
| Short UDP Diagonal Scan | Short UDP flows from single/multiple source hosts to multiple destination hosts where the number of distinct destination hosts is equal to the number of distinct destination ports which is also equal to the number of destination end points exceeding Minimum Diagonal Span at the destination end (hosts = ports = endpoints) | Scans / Probes |
| Short UDP Grid Scan | Short UDP flows from single/multiple source hosts to multiple destination hosts on multiple destination ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the destination end | Scans / Probes |
| Short UDP Port Scan(Reverse) |
1. Short UDP flows from single source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span at the source end.
2. Short UDP flows from fewer source hosts to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the source end. |
Scans / Probes |
| Short UDP Host Scan(Reverse) |
1. Short UDP flows from multiple source hosts to single/multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end.
2. Short UDP flows from multiple source hosts to single/multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the source end. |
Scans / Probes |
| Short UDP Diagonal Scan(Reverse) | Short UDP flows from multiple source hosts to single/multiple destination hosts where the number of distinct source hosts is equal to the number of distinct source ports which is also equal to the number of source end points exceeding Minimum Diagonal Span at the source end (hosts = ports = endpoints). | Scans / Probes |
| Short UDP Grid Scan(Reverse) | Short UDP flows from multiple source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the source end. | Scans / Probes |
| Malformed UDP Packets | UDP Flows with BytePerPacket less than the minimum 28 octets (bytes) touching or exceeding the Upper Limit and none of the following derived problems gets satisfied | Suspect Flows |
| Malformed UDP Attack | Malformed UDP flows from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end . | DoS / Flash Crowd |
| Malformed UDP Inflood |
Malformed UDP flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the destination end. |
DoS / Flash Crowd |
| Malformed UDP Outflood |
1. Malformed UDP flows from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end.
2. Malformed UDP flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the source end. |
DoS / Flash Crowd |
| Malformed UDP Port Scan |
1. Malformed UDP flows from single/multiple source hosts to single destination host on multiple destination ports exceeding Minimum Vertical Span at the destination end.
2. Malformed UDP flows from single/multiple source hosts to fewer destination hosts on multiple destination ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end. |
Scans / Probes |
| Malformed UDP Host Scan |
1. Malformed UDP flows from single/multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end.
2. Malformed UDP flows from single/multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end. |
Scans / Probes |
| Malformed UDP Diagonal Scan | Malformed UDP flows from single/multiple source hosts to multiple destination hosts where the number of distinct destination hosts is equal to the number of distinct destination ports which is also equal to the number of destination end points exceeding Minimum Diagonal Span at the destination end (hosts = ports = endpoints) | Scans / Probes |
| Malformed UDP Grid Scan | Malformed UDP flowsfrom single/multiple source hosts to multiple destination hosts on multiple destination ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the destination end | Scans / Probes |
| Malformed UDP Port Scan(Reverse) |
1. Malformed UDP flows from single source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span at the source end.
2. Malformed UDP flows from fewer source hosts to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the source end. |
Scans / Probes |
| Malformed UDP Host Scan(Reverse) |
1. Malformed UDP flows from multiple source hosts to single/multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end.
2. Malformed UDP flows from multiple source hosts to single/multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the source end. |
Scans / Probes |
| Malformed UDP Diagonal Scan(Reverse) | Malformed UDP flows from multiple source hosts to single/multiple destination hosts where the number of distinct source hosts is equal to the number of distinct source ports which is also equal to the number of source end points exceeding Minimum Diagonal Span at the source end (hosts = ports = endpoints). | Scans / Probes |
| Malformed UDP Grid Scan(Reverse) | Malformed UDP flows from multiple source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the source end. | Scans / Probes |
| Snork Attack Flows | UDP Flows with Src Port IN (7, 19, 135) and Dst Port IN (135) touching or exceeding the Upper Limit and none of the following derived problems gets satisfied . Indicates denial of service attack against Windows NT RPC Service | DoS / Flash Crowd |
| UDP Snork Attack | UDP Snork flows from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end . | DoS / Flash Crowd |
| UDP Snork Inflood |
UDP Snork flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the destination end |
DoS / Flash Crowd |
| UDP Snork Outflood |
1. UDP Snork flows from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end.
2. UDP Snork flows. from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the source end. |
DoS / Flash Crowd |
| UDP Snork Host Scan |
1. UDP Snork flows from single/multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end.
2. UDP Snork flows from single/multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end. |
Scans / Probes |
| UDP Snork Host Scan(Reverse) |
1. UDP Snork flows from multiple source hosts to single/multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end.
2. UDP Snork flows from multiple source hosts to single/multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the source end. |
Scans / Probes |
| Excess UDP Chargen-Echo Flows | UDP Flows, from Src Port 19/Chargen to Dst Port 7/Echo, sent to any unicast IP touching or exceeding the Upper Limit and none of the following derived problems gets satisfied . Indicates possible amplification attack on the Src IP. | DoS / Flash Crowd |
| UDP Chargen-Echo Inflood |
1.UDP Chargen-Echo flows from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end.
2.UDP Chargen-Echo flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the destination end |
DoS / Flash Crowd |
| UDP Chargen-Echo Outflood |
1. UDP Chargen-Echo flows from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end.
2. UDP Chargen-Echo flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the source end. |
DoS / Flash Crowd |
| UDP Chargen-Echo Host Scan |
1. UDP Chargen-Echo flows from single/multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end.
2. UDP Chargen-Echo flows from single/multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end. |
Scans / Probes |
| UDP Chargen-Echo Host Scan(Reverse) |
1. UDP Chargen-Echo flows from multiple source hosts to single/multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end.
2. UDP Chargen-Echo flows from multiple source hosts to single/multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the source end. |
Scans / Probes |
| Excess UDP Echo-Chargen Flows | UDP Flows, from Src Port 7/Echo to Dst Port 19/Chargen, sent to any unicast IP touching or exceeding the Upper Limit and none of the following derived problems gets satisfied . Indicates possible amplification attack on the Src IP. | DoS / Flash Crowd |
| UDP Echo-Chargen Inflood |
1.UDP Echo-Chargen flows from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end.
2.UDP Echo-Chargen flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the destination end. |
DoS / Flash Crowd |
| UDP Echo-Chargen Outflood |
1. UDP Echo-Chargen flows from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end.
2. UDP Echo-Chargen flows from single/multiple source hosts to single/multiple destination hosts exceeding Minimum Flux Rate at the source end. |
DoS / Flash Crowd |
| UDP Echo-Chargen Host Scan |
1. UDP Echo-Chargen flows from single/multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end.
2. UDP Echo-Chargen flows from single/multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end. |
Scans / Probes |
| UDP Echo-Chargen Host Scan(Reverse) |
1. UDP Echo-Chargen flows from multiple source hosts to single/multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end.
2. UDP Echo-Chargen flows from multiple source hosts to single/multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the source end. |
Scans / Probes |