登录查看更多内容

Detecting attacks based on TCP Flags (DDOS, SYN Flood, and others)

Sergio Albea

????♂? Threat Hunter-Researcher and User Behaviour Analyst ????♂? / Senior Cloud Security Engineer/Architect

发布日期: 2025年2月3日

Let's kick off 2025 with these kinds of queries that open the door to so many more—love it! ??

I've been digging into TCP flags for a while because they can reveal a lot about malicious activity based on how they're set. These flags hold key details about network connectivity status, so understanding them is pretty important.

While exploring DeviceNetworkEvents, I noticed that in the AdditionalDetails field, the TCPFlags value appears for inbound connections—but in integer format. That meant I had to convert it to binary manually. Surprisingly, there's no built-in tobinary function in KQL to handle this, which feels like a missed opportunity—maybe something to request in the future?

Since I needed it right away, I went ahead and built a KQL query to convert integers to binary myself:

// Sergio Albea
let number = 42; // Replace with your integer
let binary = 
    range i from 0 to 31 step 1
    | extend bit = toint(floor((number / pow(2, i)), 1) % 2)
    | summarize binary = strcat_array(make_list(strcat(bit)), "")
    | project binary;
binary

But performance-wise, it was limiting my time range, so I just went ahead and created a list with the integers and binaries, which made things run faster. In short, here are the different TCP flags identified:

0- FIN (Finish) Signals connection termination.

1- SYN (Synchronize) Initiates a new TCP connection.

2- RST (Reset) Abruptly terminates a connection.

3- PSH (Push) Instructs immediate delivery to the application

4- ACK (Acknowledgment) Confirms receipt of data from sender.

5 URG (Urgent) Marks urgent data.

6- ECE (ECN Echo) Signals congestion notification to the sender.

7 - CWR (Congestion Window Reduced) Indicates congestion control adjustment.

Here is the KQL query I developed to extract the bits of the TCP flags based on the remote IP for inbound connection attempts and queries associated to every Flag:

//Sergio Albea
let binnary_codes = externaldata(Integer: string, binary: string)[@"https://raw.githubusercontent.com/Sergio-Albea-Git/Threat-Hunting-KQL-Queries/refs/heads/main/Security-Lists/binary_list.csv"] with (format="csv", ignoreFirstRecord=True);
DeviceNetworkEvents
| extend tags = parse_json( AdditionalFields)
| extend direction =  tags["direction"]
| where direction has "In"
| extend Geo_IP = tostring(geo_info_from_ip_address(RemoteIP).country)
| where isnotempty(Geo_IP)
| extend TCPFlags =  tostring(tags["Tcp Flags"])
| join kind=leftouter  ( binnary_codes) on $left.TCPFlags == $right.Integer
| extend  num0 = strcat(substring(binary,  0,1)),num1 = strcat(substring(binary,  1,1)),num2 = strcat(substring(binary,  2,1)),num3 = strcat(substring(binary,  3,1)),num4 = strcat(substring(binary,  4,1)),num5 = strcat(substring(binary,  5,1)),num6 = strcat(substring(binary,  6,1)),num7 = strcat(substring(binary,  7,1))
| summarize make_set(binary),FIN= countif(num7 == 1),SYN= countif(num6 == 1),RST = countif(num5 == 1),PSH = countif(num4 == 1),ACK = countif(num3 == 1),URG = countif(num2 == 1),ECE = countif(num1 == 1),CWR = countif(num0 == 1),  count() by RemoteIP, Geo_IP

0- FIN (Finish)

FIN Scan – Attackers send FIN packets to probe open ports and evade firewalls.

//Sergio Albea
let binnary_codes = externaldata(Integer: string, binary: string)[@"https://raw.githubusercontent.com/Sergio-Albea-Git/Threat-Hunting-KQL-Queries/refs/heads/main/Security-Lists/binary_list.csv"] with (format="csv", ignoreFirstRecord=True);
DeviceNetworkEvents
| extend tags = parse_json( AdditionalFields)
| extend direction =  tags["direction"]
| where direction has "In"
| extend Geo_IP = tostring(geo_info_from_ip_address(RemoteIP).country)
| where isnotempty( Geo_IP)
| extend TCPFlags =  tostring(tags["Tcp Flags"])
| join kind=leftouter  ( binnary_codes) on $left.TCPFlags == $right.Integer
| extend  num0 = strcat(substring(binary,  0,1)),num1 = strcat(substring(binary,  1,1)),num2 = strcat(substring(binary,  2,1)),num3 = strcat(substring(binary,  3,1)),num4 = strcat(substring(binary,  4,1)),num5 = strcat(substring(binary,  5,1)),num6 = strcat(substring(binary,  6,1)),num7 = strcat(substring(binary,  7,1))
| summarize make_set(binary),FIN= countif(num7 == 1),SYN= countif(num6 == 1),RST = countif(num5 == 1),PSH = countif(num4 == 1),ACK = countif(num3 == 1),URG = countif(num2 == 1),ECE = countif(num1 == 1),CWR = countif(num0 == 1),  count() by RemoteIP, Geo_IP
| where FIN > 0

1- SYN (Synchronize)

SYN Flood Attack – Attackers send numerous SYN packets without completing the handshake to exhaust server resources.

领英推荐

WARNING: Critical Ivanti Vulnerability Actively…

The Cyber Security Hub? 2 个月前

The Tyranny of Zero: Is the Race to the Bottom Worth…

Dunelm 7 个月前

The Ntirety Weekly Threat Intelligence Report:…

Ntirety 3 个月前

//Sergio Albea
let binnary_codes = externaldata(Integer: string, binary: string)[@"https://raw.githubusercontent.com/Sergio-Albea-Git/Threat-Hunting-KQL-Queries/refs/heads/main/Security-Lists/binary_list.csv"] with (format="csv", ignoreFirstRecord=True);
DeviceNetworkEvents
| extend tags = parse_json( AdditionalFields)
| extend direction =  tags["direction"]
| where direction has "In"
| extend Geo_IP = tostring(geo_info_from_ip_address(RemoteIP).country)
| where isnotempty( Geo_IP)
| extend TCPFlags =  tostring(tags["Tcp Flags"])
| join kind=leftouter  ( binnary_codes) on $left.TCPFlags == $right.Integer
| extend  num0 = strcat(substring(binary,  0,1)),num1 = strcat(substring(binary,  1,1)),num2 = strcat(substring(binary,  2,1)),num3 = strcat(substring(binary,  3,1)),num4 = strcat(substring(binary,  4,1)),num5 = strcat(substring(binary,  5,1)),num6 = strcat(substring(binary,  6,1)),num7 = strcat(substring(binary,  7,1))
| summarize make_set(binary),FIN= countif(num7 == 1),SYN= countif(num6 == 1),RST = countif(num5 == 1),PSH = countif(num4 == 1),ACK = countif(num3 == 1),URG = countif(num2 == 1),ECE = countif(num1 == 1),CWR = countif(num0 == 1),  count() by RemoteIP, Geo_IP
| where SYN > 100 // Adjust threshold based on baseline

2- RST (Reset)

RST Flood Attack – Attackers send excessive RST packets to disrupt ongoing connections.

//Sergio Albea
let binnary_codes = externaldata(Integer: string, binary: string)[@"https://raw.githubusercontent.com/Sergio-Albea-Git/Threat-Hunting-KQL-Queries/refs/heads/main/Security-Lists/binary_list.csv"] with (format="csv", ignoreFirstRecord=True);
DeviceNetworkEvents
| extend tags = parse_json( AdditionalFields)
| extend direction =  tags["direction"]
| where direction has "In"
| extend Geo_IP = tostring(geo_info_from_ip_address(RemoteIP).country)
| where isnotempty( Geo_IP)
| extend TCPFlags =  tostring(tags["Tcp Flags"])
| join kind=leftouter  ( binnary_codes) on $left.TCPFlags == $right.Integer
| extend  num0 = strcat(substring(binary,  0,1)),num1 = strcat(substring(binary,  1,1)),num2 = strcat(substring(binary,  2,1)),num3 = strcat(substring(binary,  3,1)),num4 = strcat(substring(binary,  4,1)),num5 = strcat(substring(binary,  5,1)),num6 = strcat(substring(binary,  6,1)),num7 = strcat(substring(binary,  7,1))
| summarize make_set(binary),FIN= countif(num7 == 1),SYN= countif(num6 == 1),RST = countif(num5 == 1),PSH = countif(num4 == 1),ACK = countif(num3 == 1),URG = countif(num2 == 1),ECE = countif(num1 == 1),CWR = countif(num0 == 1),  count() by RemoteIP, Geo_IP
| where RST > 0

3- PSH (Push)

Attackers use PSH flags to quickly transmit stolen data.

//Sergio Albea
let binnary_codes = externaldata(Integer: string, binary: string)[@"https://raw.githubusercontent.com/Sergio-Albea-Git/Threat-Hunting-KQL-Queries/refs/heads/main/Security-Lists/binary_list.csv"] with (format="csv", ignoreFirstRecord=True);
DeviceNetworkEvents
| extend tags = parse_json( AdditionalFields)
| extend direction =  tags["direction"]
| where direction has "In"
| extend Geo_IP = tostring(geo_info_from_ip_address(RemoteIP).country)
| where isnotempty( Geo_IP)
| extend TCPFlags =  tostring(tags["Tcp Flags"])
| join kind=leftouter  ( binnary_codes) on $left.TCPFlags == $right.Integer
| extend  num0 = strcat(substring(binary,  0,1)),num1 = strcat(substring(binary,  1,1)),num2 = strcat(substring(binary,  2,1)),num3 = strcat(substring(binary,  3,1)),num4 = strcat(substring(binary,  4,1)),num5 = strcat(substring(binary,  5,1)),num6 = strcat(substring(binary,  6,1)),num7 = strcat(substring(binary,  7,1))
| summarize make_set(binary),FIN= countif(num7 == 1),SYN= countif(num6 == 1),RST = countif(num5 == 1),PSH = countif(num4 == 1),ACK = countif(num3 == 1),URG = countif(num2 == 1),ECE = countif(num1 == 1),CWR = countif(num0 == 1),  count() by RemoteIP, Geo_IP
| where PSH > 0

4- ACK (Acknowledgment)

ACK Flood Attack – Attackers flood a target with ACK packets to exhaust system resources.

//Sergio Albea
let binnary_codes = externaldata(Integer: string, binary: string)[@"https://raw.githubusercontent.com/Sergio-Albea-Git/Threat-Hunting-KQL-Queries/refs/heads/main/Security-Lists/binary_list.csv"] with (format="csv", ignoreFirstRecord=True);
DeviceNetworkEvents
| extend tags = parse_json( AdditionalFields)
| extend direction =  tags["direction"]
| where direction has "In"
| extend Geo_IP = tostring(geo_info_from_ip_address(RemoteIP).country)
| where isnotempty( Geo_IP)
| extend TCPFlags =  tostring(tags["Tcp Flags"])
| join kind=leftouter  ( binnary_codes) on $left.TCPFlags == $right.Integer
| extend  num0 = strcat(substring(binary,  0,1)),num1 = strcat(substring(binary,  1,1)),num2 = strcat(substring(binary,  2,1)),num3 = strcat(substring(binary,  3,1)),num4 = strcat(substring(binary,  4,1)),num5 = strcat(substring(binary,  5,1)),num6 = strcat(substring(binary,  6,1)),num7 = strcat(substring(binary,  7,1))
| summarize make_set(binary),FIN= countif(num7 == 1),SYN= countif(num6 == 1),RST = countif(num5 == 1),PSH = countif(num4 == 1),ACK = countif(num3 == 1),URG = countif(num2 == 1),ECE = countif(num1 == 1),CWR = countif(num0 == 1),  count() by RemoteIP, Geo_IP
| where ACK > 100

5 URG (Urgent)

Injection Attacks – Attackers manipulate urgent pointers to inject malicious payloads.

//Sergio Albea
let binnary_codes = externaldata(Integer: string, binary: string)[@"https://raw.githubusercontent.com/Sergio-Albea-Git/Threat-Hunting-KQL-Queries/refs/heads/main/Security-Lists/binary_list.csv"] with (format="csv", ignoreFirstRecord=True);
DeviceNetworkEvents
| extend tags = parse_json( AdditionalFields)
| extend direction =  tags["direction"]
| where direction has "In"
| extend Geo_IP = tostring(geo_info_from_ip_address(RemoteIP).country)
| where isnotempty(Geo_IP)
| extend TCPFlags =  tostring(tags["Tcp Flags"])
| join kind=leftouter  ( binnary_codes) on $left.TCPFlags == $right.Integer
| extend  num0 = strcat(substring(binary,  0,1)),num1 = strcat(substring(binary,  1,1)),num2 = strcat(substring(binary,  2,1)),num3 = strcat(substring(binary,  3,1)),num4 = strcat(substring(binary,  4,1)),num5 = strcat(substring(binary,  5,1)),num6 = strcat(substring(binary,  6,1)),num7 = strcat(substring(binary,  7,1))
| summarize make_set(binary),FIN= countif(num7 == 1),SYN= countif(num6 == 1),RST = countif(num5 == 1),PSH = countif(num4 == 1),ACK = countif(num3 == 1),URG = countif(num2 == 1),ECE = countif(num1 == 1),CWR = countif(num0 == 1),  count() by RemoteIP, Geo_IP
| where URG > 0

6- ECE (ECN Echo)

ECN-Based Attacks – Attackers abuse ECN to cause unnecessary congestion handling.

//Sergio Albea
let binnary_codes = externaldata(Integer: string, binary: string)[@"https://raw.githubusercontent.com/Sergio-Albea-Git/Threat-Hunting-KQL-Queries/refs/heads/main/Security-Lists/binary_list.csv"] with (format="csv", ignoreFirstRecord=True);
DeviceNetworkEvents
| extend tags = parse_json( AdditionalFields)
| extend direction =  tags["direction"]
| where direction has "In"
| extend Geo_IP = tostring(geo_info_from_ip_address(RemoteIP).country)
| where isnotempty(Geo_IP)
| extend TCPFlags =  tostring(tags["Tcp Flags"])
| join kind=leftouter  ( binnary_codes) on $left.TCPFlags == $right.Integer
| extend  num0 = strcat(substring(binary,  0,1)),num1 = strcat(substring(binary,  1,1)),num2 = strcat(substring(binary,  2,1)),num3 = strcat(substring(binary,  3,1)),num4 = strcat(substring(binary,  4,1)),num5 = strcat(substring(binary,  5,1)),num6 = strcat(substring(binary,  6,1)),num7 = strcat(substring(binary,  7,1))
| summarize make_set(binary),FIN= countif(num7 == 1),SYN= countif(num6 == 1),RST = countif(num5 == 1),PSH = countif(num4 == 1),ACK = countif(num3 == 1),URG = countif(num2 == 1),ECE = countif(num1 == 1),CWR = countif(num0 == 1),  count() by RemoteIP, Geo_IP
| where ECE > 0

7 - CWR (Congestion Window Reduced)

ECN Flooding Attack – Attackers manipulate congestion control mechanisms to disrupt network performance.

//Sergio Albea
let binnary_codes = externaldata(Integer: string, binary: string)[@"https://raw.githubusercontent.com/Sergio-Albea-Git/Threat-Hunting-KQL-Queries/refs/heads/main/Security-Lists/binary_list.csv"] with (format="csv", ignoreFirstRecord=True);
DeviceNetworkEvents
| extend tags = parse_json( AdditionalFields)
| extend direction =  tags["direction"]
| where direction has "In"
| extend Geo_IP = tostring(geo_info_from_ip_address(RemoteIP).country)
| where isnotempty(Geo_IP)
| extend TCPFlags =  tostring(tags["Tcp Flags"])
| join kind=leftouter  ( binnary_codes) on $left.TCPFlags == $right.Integer
| extend  num0 = strcat(substring(binary,  0,1)),num1 = strcat(substring(binary,  1,1)),num2 = strcat(substring(binary,  2,1)),num3 = strcat(substring(binary,  3,1)),num4 = strcat(substring(binary,  4,1)),num5 = strcat(substring(binary,  5,1)),num6 = strcat(substring(binary,  6,1)),num7 = strcat(substring(binary,  7,1))
| summarize make_set(binary),FIN= countif(num7 == 1),SYN= countif(num6 == 1),RST = countif(num5 == 1),PSH = countif(num4 == 1),ACK = countif(num3 == 1),URG = countif(num2 == 1),ECE = countif(num1 == 1),CWR = countif(num0 == 1),  count() by RemoteIP, Geo_IP
| where CWR > 0

Conclusion

This use case helps to identify TCP Flags information allowing you to create multiple queries to detect different type of attacks such as DDOS, SYN Flood Attacks, and others. For instance:

Detecting TCP Session Hijacking : Attackers inject packets into an established session using manipulated TCP flags. I would suggest to review the cases where there is an important amount of SYN packages and 0 ACK.
Detecting TCP Flag Anomalies : Attackers use unusual flag combinations to evade detection. Look for unusual flag combinations (e.g., SYN+FIN, SYN+RST).
Detecting TCP XMAS Scans : Attackers send packets with FIN, PSH, and URG flags set (like a "Christmas tree"). Look for TCP packets with FIN, PSH, and URG flags set.
Detecting SYN Flood Attacks (DDoS) : Attackers send a large number of SYN packets without completing the TCP handshake, exhausting server resources. Look for a high volume of SYN packets with no corresponding SYN-ACK or ACK responses and create detection rules to detect unusual spikes in SYN packets.
Detecting TCP RESET (RST) Attacks: Attackers send RST packets to terminate legitimate connections. Look for a high volume of RST packets from a single source IP.

I recommend executing various queries to analyse the number of occurrences for each type of TCP flag to gain a comprehensive understanding of their distribution.

Based on my findings and analysis, I strongly suggest reviewing all connection attempts that include CWR, ECE, URG, PSH, and RST TCP flags, as they may indicate unusual or potentially malicious activity.

William Sloan

SOC Analyst

4 周

This great work, I would never think about this. Also I believe that you can use Binary and to replicate it. Edit, here is improved version to fix flaws of previous KQL query DeviceNetworkEvents | extend Tcp_Flags_ = toint(coalesce(AdditionalFields.["Tcp Flags"], "0")) | where Tcp_Flags_ <> 0 | extend FIN = iif(binary_and(Tcp_Flags_, binary_shift_left(1, 0)) != 0, 1, 0), SYN = iif(binary_and(Tcp_Flags_, binary_shift_left(1, 1)) != 0, 1, 0), RST = iif(binary_and(Tcp_Flags_, binary_shift_left(1, 2)) != 0, 1, 0), PSH = iif(binary_and(Tcp_Flags_, binary_shift_left(1, 3)) != 0, 1, 0), ACK = iif(binary_and(Tcp_Flags_, binary_shift_left(1, 4)) != 0, 1, 0), URG = iif(binary_and(Tcp_Flags_, binary_shift_left(1, 5)) != 0, 1, 0), ECE = iif(binary_and(Tcp_Flags_, binary_shift_left(1, 6)) != 0, 1, 0), CWR = iif(binary_and(Tcp_Flags_, binary_shift_left(1, 7)) != 0, 1, 0), NS = iif(binary_and(Tcp_Flags_, binary_shift_left(1, 8)) != 0, 1, 0) | extend TCP_Flag_Binary_form = strcat(FIN, SYN, RST, PSH, ACK, URG, ECE, CWR, NS)

1 次回应

查看更多评论

要查看或添加评论，请登录

Sergio Albea的更多文章

DNS Response analysis with KQL Queries (queries, answers, TTL, RTT and others)

2025年3月13日

DNS Response analysis with KQL Queries (queries, answers, TTL, RTT and others)

A key aspect of threat hunting is monitoring where identities and devices connect by analyzing RemoteIP, Domains, and…
Hunting malicious OneOnOne chats via M. Teams

2025年3月4日

Hunting malicious OneOnOne chats via M. Teams

In recent years, there has been a noticeable increase in malicious activity involving hackers leveraging Microsoft…
Identifying Device vendors behind connections attempts based on MAC Addresses

2025年2月17日

Identifying Device vendors behind connections attempts based on MAC Addresses

When researching information about remote connections to exposed devices, it is often necessary to gather logs from…
Hunting for malicious login attempts based on basic authentication

2025年2月10日

Hunting for malicious login attempts based on basic authentication

Nowadays, basic authentication is becoming less common and we use more secure ways to log in with our identities…
Detecting Base64 Code in Commands (Inspired by the Lumma Stealer Case)

2025年1月13日

Detecting Base64 Code in Commands (Inspired by the Lumma Stealer Case)

A recent case involving the Lumma Stealer confirms my suspicious that this malware has increased in attacks during last…

11 条评论
Threat Hunting via Autonomous System Numbers (ASN)

2025年1月6日

Threat Hunting via Autonomous System Numbers (ASN)

Months ago, I wrote an article (How non-secure ISPs Aid Attackers in Evading Detection) discussing how some malicious…

4 条评论
How non-secure ISPs Aid Attackers in Evading Detection

2024年11月21日

How non-secure ISPs Aid Attackers in Evading Detection

The Internet Service Provider (ISP) our users choose plays a critical role in safeguarding our data and assets. While…

5 条评论

See all articles

Detecting attacks based on TCP Flags (DDOS, SYN Flood, and others)

Sergio Albea

????♂? Threat Hunter-Researcher and User Behaviour Analyst ????♂? / Senior Cloud Security Engineer/Architect

领英推荐

Conclusion

Sergio Albea的更多文章

社区洞察

其他会员也浏览了

How to Stop Cyber Attacks on Control Systems ?

The 2024 Threat Report – At a Glance

Weekly Threat Digest: 06 to 12 January 2025

Buffer Overflow Attacks: A Memory Mayhem and the Mending Might of Bounds Checking

EVAs and IVAs, an ounce of prevention is worth a ton of cure

Buffer Overflow Attacks: A Memory Mayhem and the Mending Might of Bounds Checking

New zero-day exploits. Airports under attack. Privilege escalation patches - August 2024 Cyber Risk Roundup

Securing the Grid: Lessons from China's Cyberattacks on U.S. Providers

Unpatched Vulnerabilities Will Still Haunt Us in 2025!

NetScaler attack mitigation

领英推荐

Conclusion

Sergio Albea的更多文章

DNS Response analysis with KQL Queries (queries, answers, TTL, RTT and others)

Hunting malicious OneOnOne chats via M. Teams

Identifying Device vendors behind connections attempts based on MAC Addresses

Hunting for malicious login attempts based on basic authentication

Detecting Base64 Code in Commands (Inspired by the Lumma Stealer Case)

Threat Hunting via Autonomous System Numbers (ASN)

How non-secure ISPs Aid Attackers in Evading Detection

社区洞察

其他会员也浏览了

How to Stop Cyber Attacks on Control Systems ?

The 2024 Threat Report – At a Glance

Weekly Threat Digest: 06 to 12 January 2025

Buffer Overflow Attacks: A Memory Mayhem and the Mending Might of Bounds Checking

EVAs and IVAs, an ounce of prevention is worth a ton of cure

Buffer Overflow Attacks: A Memory Mayhem and the Mending Might of Bounds Checking

New zero-day exploits. Airports under attack. Privilege escalation patches - August 2024 Cyber Risk Roundup

Securing the Grid: Lessons from China's Cyberattacks on U.S. Providers

Unpatched Vulnerabilities Will Still Haunt Us in 2025!

NetScaler attack mitigation