Author Archive for Eddi

  1. DDoS Tracefile for SharkFest Europe 2021

    SharkFest Europe has opened it’s doors for the pre-conference classes. Presentations will start on June, 17th. I am honored to give a presentation on DDoS attacks. The trace files for the presentation are available for download at http://www.packet-foo.com/blog/SF21EU/DDoS_Tracefiles.zip The Zip file contains five traces: FreakOut_Flooding.pcapng Shows the UDP Flood, TCP Flood, SYN Flood and Slowloris attacks […]

  2. Introducing DNS Hammer, Part 2: Auditing a Name Server’s Rate Limiting Configuration

    Introducing DNS Hammer, Part 2: Introducing a new tool Part one of the series discusses DNS reflection attacks and DNS rate limiting. This post shows how to use DNS Hammer to audit a DNS server’s rate limit configuration. A dedicated web site https://www.dnshammer.com offers the tool for download and instructions how to use it.

  3. Introducing DNS Hammer, Part 1: DDoS Analysis – From DNS Reflection to Rate Limiting

    This article discusses DNS reflection, a technique used in DDoS attacks. DNS rate limiting can be used as mitigation against DNS reflection attacks. This paves the way to our new tool DNS Hammer. The program can help auditing a DNS server’s rate limiting configuration.

  4. Analyzing a failed TLS connection

    Summary This post demonstrates how to correlate two or more trace files to analyze a broken connection. We identify the root cause and gather information about the network topology. Tracefiles are available at http://www.packet-foo.com/blog/TLS/Skype.zip We assume that the reader is familiar with TCP basics like session setup, retransmissions, window size etc.

  5. SMB System Error 384

    This blog post highlights a very specific detail of Microsoft’s implementation of SMB. It might help those, who try to get rid of SMB version 1 and support staff dealing with inaccessible file shares.

  6. System Error 58 – Wireshark to the rescue

    The other day I was called to investigate a problem where a user could no longer mount a share. The client was running Windows 7. The user got the somewhat obscure message “System error 58 occurred”.

  7. Trace File Case Files: SMB2 Performance

    We had an interesting question regarding SMB2 performance on the Wireshark Q&A forum recently. Upon request the person asking the question was able to add a couple of trace files (=”capture” files).  The question and a link to the traces can be found here: https://ask.wireshark.org/questions/55972/slow-writes-even-slower-reads-spanning-wan-to-netapp Since the question nicely fits into the scope my talk […]