[Bro] detect Ack flooding attack

Vern Paxson vern at icir.org
Thu Jun 23 22:14:19 PDT 2005

I've finally had a chance to look into this - sorry about the delay.  I had
misinterpreted your original comment - I thought you were asking about
detecting ACK scanning, not flooding.  Bro doesn't have a flood-detection
script other than for SYN flooding (which is in synflood.bro), so it's
expected that it wouldn't detect this.  (FYI, I have a tweak to it for
detecting ACK scanning, but this is tricky because it's hard to distinguish
between ACK scanning and SYN flooding backscatter.)

>    The attachment is a small trace file. thanks

FYI, the trace has numerous checksum errors (confirmed by tcpdump) -
something to be aware of when analyzing it.


More information about the Bro mailing list