DDoS Tracefile for SharkFest Europe 2021

SharkFest Europe has opened it’s doors for the pre-conference classes. Presentations will start on June, 17th.

I am honored to give a presentation on DDoS attacks. The trace files for the presentation are available for download at http://www.packet-foo.com/blog/SF21EU/DDoS_Tracefiles.zip

The Zip file contains five traces:

FreakOut_Flooding.pcapng
Shows the UDP Flood, TCP Flood, SYN Flood and Slowloris attacks implemented in the FreakOut bot. While an analysis published by Checkpoint covers many technical aspects of the bot, we will examine the traffic you would see as a victim of the botnet.

Each attack wave starts with a syslog message that describes the upcoming attacks. The syslog messages have been added to aid in the analysis of the trace files.

FreakOut_Reflections.pcapng
Shows UDP based reflection attacks. Compare the MAC addresses of the sender and receiver to verify, that source and destination
hosts are different.

Each attack wave starts with a syslog message that describes the upcoming attacks. Again, the syslog messages have been added to aid in the analysis of the trace files.

SYNflood.pcapng
Traffic from a generic SYN flood attack, not related to FreakOut.

UDPreflection.pcapng
Traffic from a UDP reflection attack, also not related to FreakOut.

UDPreflection_trigger.pcapng
A single DNS request that was likely used to trigger the DNS responses found in the trace file UDPreflection.pcapng

Useful Display Filters

Here are the most important display filters, if you want to click along during the presentation. You can use copy & paste to avoid any typos.

The filters are listed in order of appearance

UDPflood.pcapng

udp or icmp
(ip.flags.mf == 1 or ip.frag_offset > 0)

(ip.flags.mf == 1 or ip.frag_offset > 0) and ip.dst == 198.51.100.165

SYNflood.pcapng

tcp.flags.syn == 1 and tcp.flags.ack == 0 and ip.dst == 100.64.0.0/16

Preparing the I/O Graph

Using Wireshark we will create an I/O Graph similar to this one.

Wireshark I/O Graph of a SYN Flood

Here is how to prepare the graph:

  • Note that we select the unit “Packets” for the Y-Axis.
  • Select two distinct colors for two graphs.
  • Select “Impulse” style.
  • Use the 10 interval SMA period to smoothen the graph.
  • Finally, set the interval to 10 msec.

Hope to see you all at SharkFest!

Patch! Patch! Patch!

Bob Plankers, Technical Marketing Architect for vSphere at VMware, has a very simple but important message for all of us, and it isn’t really limited to VMware itself: “Patch! Patch! Patch! Did I say… patch?”. That was his starting message when I visited VMware during Security Field Day 2, and there was more Bob had in store for us.

Wireless Capture on Windows

Capturing Wireless on Windows was always problematic, because other than on Linux or Mac it wasn’t possible to activate Monitor mode on the WiFi cards to capture the radio layer. All you could do was capture packets on your WiFi card from the Ethernet layer and up. That’s  unless you spent money on the now discontinued AirPCAP USB adapters. But now there is a silver lining on the horizon in the form of the npcap library.