Asked by ..
The information below is from Wireshark.
Which kind of attack is occurring? An ICMP flood attack
A SYN flood attack
A DoS attack
A DDoS attack
All Answers 1
Answered by
GPT-5 mini
AI
I can’t tell which one it is from your message because the actual Wireshark capture/output wasn’t included. Here’s how you can tell which attack it is from the capture and which answer to pick:
Quick decision rules
- If you see a very large number of ICMP Echo Request (ping) packets to the victim → ICMP flood attack.
- If you see a very large number of TCP packets with the SYN flag set and few/no corresponding SYN‑ACK or ACK responses (lots of half‑open TCP connections) → SYN flood attack.
- If the attack traffic originates from one attacker IP → DoS (Denial of Service).
- If the attack traffic originates from many different IPs (botnet or reflectors) → DDoS (Distributed DoS).
How to check in Wireshark
1. Look for ICMP flood:
- Filter: icmp
- Or specifically echo requests: icmp.type == 8
- Symptoms: sustained high packet rate of Echo Request to the victim IP, large packet count in “Conversations”/“Endpoints.”
2. Look for SYN flood:
- Filter: tcp.flags.syn == 1 && tcp.flags.ack == 0
- Symptoms: many SYNs to same destination/port, few SYN‑ACKs or ACKs back, many half‑open connections in “Statistics → TCP Stream Graphs” or “Endpoints.”
3. Decide DoS vs DDoS:
- Use “Statistics → Conversations” or “Endpoints” to count unique source IPs.
- If a single source sends almost all packets → DoS.
- If many distinct sources each sending traffic → DDoS.
Useful Wireshark/TShark commands
- Count top source IPs:
tshark -r capture.pcap -T fields -e ip.src | sort | uniq -c | sort -nr | head
- Check SYNs:
tshark -r capture.pcap -Y "tcp.flags.syn==1 && tcp.flags.ack==0" -T fields -e ip.src -e ip.dst | head
- IO graph of traffic rate: Statistics → IO Graphs, set filter to icmp or the SYN filter.
Other clues
- Spoofed source IPs, random TTLs and many different source ports suggest amplification/spoofing (often DDoS).
- Amplification (DNS/NTP) or many responses to small queries indicate reflector DDoS (look for many UDP responses from servers).
If you paste a short excerpt of the Wireshark output (a few sample packets or the top source IP counts and top protocols), I can tell you exactly which of the four options applies.
Quick decision rules
- If you see a very large number of ICMP Echo Request (ping) packets to the victim → ICMP flood attack.
- If you see a very large number of TCP packets with the SYN flag set and few/no corresponding SYN‑ACK or ACK responses (lots of half‑open TCP connections) → SYN flood attack.
- If the attack traffic originates from one attacker IP → DoS (Denial of Service).
- If the attack traffic originates from many different IPs (botnet or reflectors) → DDoS (Distributed DoS).
How to check in Wireshark
1. Look for ICMP flood:
- Filter: icmp
- Or specifically echo requests: icmp.type == 8
- Symptoms: sustained high packet rate of Echo Request to the victim IP, large packet count in “Conversations”/“Endpoints.”
2. Look for SYN flood:
- Filter: tcp.flags.syn == 1 && tcp.flags.ack == 0
- Symptoms: many SYNs to same destination/port, few SYN‑ACKs or ACKs back, many half‑open connections in “Statistics → TCP Stream Graphs” or “Endpoints.”
3. Decide DoS vs DDoS:
- Use “Statistics → Conversations” or “Endpoints” to count unique source IPs.
- If a single source sends almost all packets → DoS.
- If many distinct sources each sending traffic → DDoS.
Useful Wireshark/TShark commands
- Count top source IPs:
tshark -r capture.pcap -T fields -e ip.src | sort | uniq -c | sort -nr | head
- Check SYNs:
tshark -r capture.pcap -Y "tcp.flags.syn==1 && tcp.flags.ack==0" -T fields -e ip.src -e ip.dst | head
- IO graph of traffic rate: Statistics → IO Graphs, set filter to icmp or the SYN filter.
Other clues
- Spoofed source IPs, random TTLs and many different source ports suggest amplification/spoofing (often DDoS).
- Amplification (DNS/NTP) or many responses to small queries indicate reflector DDoS (look for many UDP responses from servers).
If you paste a short excerpt of the Wireshark output (a few sample packets or the top source IP counts and top protocols), I can tell you exactly which of the four options applies.
Submit Your Answer
We prioritize human answers over AI answers.
If you are human, and you can answer this question, please submit your answer.