psh_flood

Explanation

psh_flood is a security event in the Netography Fusion Portal that detects potential PSH floods. A Psh flood is when the TCP Push flag is set in the header of a packet, a flood of these types of packets may overwhelm the receiver.

What to Look For

When analyzing the results of the psh_flood event, look for an unusually high number of TCP packets with the Push flag set. This type of traffic can cause performance issues on the network and may be indicative of a malicious attack. Look for any patterns or anomalies in the traffic, such as frequent bursts of Psh packets from the same IP address or network. Endpoint analysis may also reveal CPU or memory usage spikes, indicating the flood is impacting the local system. It is important to investigate and remediate any observed Psh floods promptly to prevent network downtime or data loss.

Related MITRE ATT&CK Categories

Network Denial of Service, Technique T1498 - Enterprise
Endpoint Denial of Service, Technique T1499 - Enterprise