[Bro] detect Ack flooding attack

bchen at cs.ucf.edu bchen at cs.ucf.edu
Wed May 18 12:06:21 PDT 2005

Hi Vern,
   The attachment is a small trace file. thanks


Quoting Vern Paxson <vern at icir.org>:

>>      Thank you for your reply. I corrected this filter expression 
>> and run Bro,
>> but I got the same result. I can see these spoofed source IP packets with
>> Ethereal. All of them target the same host but with different destination
>> ports. The TCP flag of these packets is 0x0010 (ack). I found no single log
>> record was for such packets. Am I missing anything?
>>      By the way, I am using the DARPA 2000 data set (Scenario one, inside
>> tcpdump file). This is the link for this data:
>> http://www.ll.mit.edu/IST/ideval/data/2000/LLS_DDOS_1.0.html
> Please send a small trace that can be used to reproduce the problem.
> Thanks.
> 		Vern

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smalltrace
Type: application/octet-stream
Size: 7574 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20050518/78b6b5d6/attachment.obj 

More information about the Bro mailing list