[Bro] detect Ack flooding attack

bchen at cs.ucf.edu bchen at cs.ucf.edu
Wed May 18 11:01:43 PDT 2005

Hi Vern,
     Thank you for your reply. I corrected this filter expression and run Bro,
but I got the same result. I can see these spoofed source IP packets with
Ethereal. All of them target the same host but with different destination
ports. The TCP flag of these packets is 0x0010 (ack). I found no single log
record was for such packets. Am I missing anything?
     By the way, I am using the DARPA 2000 data set (Scenario one, inside
tcpdump file). This is the link for this data:

thank you for your time.


Quoting Vern Paxson <vern at icir.org>:

>> ./bro -f "(tcp and ((tcp[13] & 0x7 != 0) or (tcp[13] & 0x10 == 1)) ) 
>> or udp or
> The second test you give, for capturing ACK packets, is incorrect.
> It needs to be
> 	(tcp[13] & 0x10 == 0x10)
> - Vern

More information about the Bro mailing list