Monday, September 11, 2006

TCPstat: Detecting SYN DOS?

shell>tcpstat -i fxp0 -o "PPS\=%p\ TCP\=%T\n"
PPS=1505.20 TCP=6850
PPS=1642.80 TCP=7540
PPS=1492.60 TCP=7020
PPS=1565.20 TCP=7384
PPS=1500.00 TCP=6958
PPS=1649.80 TCP=7724
PPS=1622.80 TCP=7505
PPS=1653.20 TCP=7658
PPS=1791.40 TCP=8443

shell>tcpstat -i fxp0 -o "PPS\=%p\ TCP-SYN\=%T\n" -f "tcp[13]=2"
PPS=42.40 TCP-SYN=212
PPS=44.00 TCP-SYN=220
PPS=40.40 TCP-SYN=202
PPS=38.20 TCP-SYN=191
PPS=42.00 TCP-SYN=210
PPS=38.60 TCP-SYN=193
PPS=49.60 TCP-SYN=248
PPS=38.80 TCP-SYN=194
PPS=34.80 TCP-SYN=174

I'm running them in parallel, with ratio you can easily detect SYN DOS. Just mindless idea here :P

Happy monitoring (:])

No comments: