Powered by Zoomin Software. For more details please contactZoomin

Flowmon ADS

Table of Contents

DOS - Denial of Service Attack

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
Print
  • Last Updated: April 5, 2026
  • 2 minute read
    • Flowmon Products
    • Flowmon Anomaly Detection System
    • Documentation

Method description

Method for detection of the Denial-of-Service or Distributed-Denial-of-Service attacks. This method is based on the evaluation of the ratio of incoming and outgoing packets for each device in the monitored network. An event is generated when the data exceeds a boundary that is defined based on historical data. When the event is generated, the source IP address is the address of the attack victim, and attackers are listed as event targets.

This method can be configured using the following parameters:

  • WindowLength: Defines the maximal age of the data that could be used for the classification

  • Threshold: Defines the tolerance to an increase of the ratio (the tolerance is directly proportional to the value of the parameter)

  • MinimalIncoming: Defines the minimal number of incoming packets

  • AbsoluteThreshold: Defines the minimum ratio

  • AttackersThreshold: Defines the minimum number of attackers involved in the attack

This method consists of the following submethods:

  • Volumetric: Reports volumetric Denial of Service (DoS) attacks. The detection is based on a sudden change in the ratio of incoming/outgoing packets for the device.

  • SYNFlood: Reports the Denial of Service (DoS) attacks using the technique of SYN flooding.

  • FIN2WAIT: Reports the Denial of Service (DoS) attacks that use the technique of many unfinished connections (from the side of a client) that consume resources of a target server.

Method configuration

It is recommended to apply this method network-wide for all traffic on the network regardless of IP addresses. The right place for traffic monitoring is the Internet connection line or the central switch (for large organizations with a vast network).

Method parameters

  • AttackersThreshold: Minimum number of concurrently attacking devices.

  • Threshold: Threshold of a minimum increase (the increment of standard deviations) of the ratio between received and sent packets (for the attack victim).

  • AbsoluteThreshold: Threshold of the minimum ratio of the received and sent packets (for the attack victim).

  • MinimalIncoming: Threshold of the minimum number of incoming packets (for the attack victim).

  • WindowLength: Number of hours (length of the sliding time window) to store the statistics of incoming and outgoing packets for the devices in the monitored network.

  • MaxBpp: Maximum bytes per packet to consider the connection as a potential attack.

  • SYNPackets: Minimum number of flows that contain only the SYN packets to be considered a DoS attack (simplified detection, inactive if 0).

  • F2WThreshold: Minimum number of connections that have been ended by one of the communication partners. This is used for detection of the Fin2Wait DoS attack. This detection is inactive if the parameter equals 0.

Assigned filter

The filter is used for the restriction of the source IP addresses (victims of the attack).

Interpretation of results

This method reliably alerts to the DoS/DDoS attacks of the specified minimum range.

TitleResults for “How to create a CRG?”Also Available inAlert