more on my idea
I think it would capture a wide variety of hard-to-see protocol-bug-based attacks
- SYN Flood, Land, Teardrop, Smurf, plus (most importantly) whatever hasn’t been invented yet
Would probably see attacks on services (e.g. port scanning on a host, service scanning across many hosts -- DNS bug!)
Would even see deviations from normal behavior on regularly used services (e.g., catching a PHF bug or keystrokes to httpd)