Attack characterization
Protocols
- Mostly TCP (90-94% attacks), but a few large ICMP floods (up to 43% of packets)
- Some evidence of ISP “blackholing” (ICMP host unreachable)
Services
- Most attacks on multiple ports (~80%)
- A few services (HTTP, IRC) singled out