DoS/DDoS attacks are sometimes hard to discover since they can simulate a real situation. For example:
- Ping scans that can also come for management systems
- HTTP GET requests that are the normal requests that are accepted by web servers
- SNMP GET request
These and many others should be monitored for their quantity and sources in order to discover a problem. In the following screenshot, we see what we get when we follow a specific TCP stream.
Figure 19.14: TCP SYN DDoS attack