D3-ISVA

Detect
Inbound Session Volume Analysis

Definition

Analyzing inbound network session or connection attempt volume.

How it works

Network appliances are configured to alert on certain packets that typically are involved in DoS attacks. Typical packets include ICMP packets and SYN requests that are commonly used to flood networks. A sampling period is used to define a time window in which collected counts of the identified packets can be measured. If the collected number of packets exceeds a predefined limit then an alert is generated.

Considerations

Scalability as volume of attacks increase; single servers may not have the memory and storage resources to handle high volumes of network traffic.

Artifact Relationships

This defensive technique relates to specific digital artifacts.

analyzes
Inbound Session Volume Analysis
Inbound Internet Network Traffic

References

Reference - Detecting DDoS Attack Using Snort Reference - Identifying a denial-of-service attack in a cloud-based proxy service - Cloudfare Inc. Reference - Method and system for UDP flood attack detection - Riorey LLC Reference - Protecting against distributed denial of service attacks - Cisco Technology Inc. Reference - Protecting against distributed network flood attacks - Juniper Networks Inc.