Powered by Zoomin Software. For more details please contactZoomin

Flowmon ADS User Guide

Table of Contents

DICTATTACK - Dictionary Attack

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
Print
  • Last Updated: April 5, 2026
  • 2 minute read
    • Flowmon Products
    • Flowmon Anomaly Detection System
    • Documentation

Method description

This detection method reveals the dictionary attacks aimed at various network protocols. It detects requests that are recurring periodically and with the same data flow characteristics between the source and the target IP address. First to detect are regularly recurring flows with the maximum time span defined by the MaxInterval parameter. If the minimum number of retries of these flows (the MinAttempts parameter) is reached, the communication on the respective protocol is considered suspicious and the data transfer characteristics are computed. These characteristics capture the variability of transferred data. If the variability of transferred data within the suspicious flows is smaller than the defined tolerance, the communication between these two stations is marked as an attack.

According to the protocol that is misused to perform dictionary attacks, the method provides the following submethods - each of them detects dictionary attacks misusing a protocol that is contained in the submethods' names:

  • SMTPProtocol

  • SambaProtocol

  • VNCProtocol

  • IMAPProtocol

  • POP3Protocol

  • FTPProtocol

  • SSHProtocol

  • TelnetProtocol

  • RDPProtocol

  • HTTPProtocol

Method configuration

It is recommended to apply the method for all the IP addresses in the network and observe not only the attacks against your servers but also the attacks conducted from your network toward the Internet. The right place for traffic monitoring is the central switch or possibly in/out Internet line.

Method parameters

  • MaxInterval: Maximal time delay between login attempts.

  • MinAttempts: Minimal number of login attempts.

  • Tolerance: Detection tolerance settings. Tolerance can be set in the interval of real numbers from -1 to 1, where 0 means zero tolerance. If positive numbers are entered, the tolerance increases. Entering negative values decreases tolerance. This allows you to decrease detection tolerance if there are large numbers of false positive detections. Tolerance can be set for each protocol separately.

  • Ports: Ports on which the detection should take place.

  • AnalyzeTCPFlags: Activates the inspection of TCP flags in flow data for the IMAP protocol which makes the detection algorithm more accurate. It can only be used if the utilized flow sources fill in the TCP flags.

Assigned filter

Restrictions for source or target IP addresses.

Interpretation of results

The result of the method is the identification of dictionary attacks. Due to the mechanism of the detection, the method may evaluate a legitimate, periodically-recurring communication (for example, a misconfigured device that is continuously trying to authenticate to a service unsuccessfully) as an attack. If there is a large number of false detections, it is recommended to decrease the value of the Tolerance parameter or to increase the value of the MinAttempts parameter.

TitleResults for “How to create a CRG?”Also Available inAlert