Can any on help me how to detect DOS or DDOS attack on the netwitness. I know this is something strange question but I faced it on my client side. I found there were few TCP packets which is having only 60 bytes and payload is having zero data and flag reset. On the same time I found few hits on the UDP traffic where source port is 53 and destination is 0 or dynamic 4 digit port numbers. I found it very strange and few of the UDP packet got root server boot information. Reported same to monitoring team and they also informed there is instant spike of TCP and UDP packets.
This suspects me it should be LOIC DOS attack where as I am not able to confirm it where as I asked to block immediately for few external IPs from which I saw major amount of hits.
Please suggest me if is there any good rule or observation for DOS/DDOS.