[Bro] detect Ack flooding attack

bchen at cs.ucf.edu bchen at cs.ucf.edu
Mon May 23 19:52:52 PDT 2005

Hi Vern,
    I have an interesting finding about the problem I met. It was the backdoor
analyzer that prevented those ack flooding packets from logging. If I load the
backdoor.bro into mt.bro and run bro to read tcpdump file (command line: ./bro
-r 2000.dump mt), those ack flooding entries are missing in conn.log and
weird.log. If I unload the backdoor.bro from mt.bro and run bro, those ack
flooding packets are logged in conn.log and weird.log. The interesting 
thing is
these ack flooding packets are sent by a backdoor program (Mstream DDOS 
tool). I
don't understand why the backdoor analyzer blocks the logging of these 
   By the way, the latest version just released looks much slower than previous
version in my machine (Linux).


Quoting Vern Paxson <vern at icir.org>:

>>      Thank you for your reply. I corrected this filter expression 
>> and run Bro,
>> but I got the same result. I can see these spoofed source IP packets with
>> Ethereal. All of them target the same host but with different destination
>> ports. The TCP flag of these packets is 0x0010 (ack). I found no single log
>> record was for such packets. Am I missing anything?
>>      By the way, I am using the DARPA 2000 data set (Scenario one, inside
>> tcpdump file). This is the link for this data:
>> http://www.ll.mit.edu/IST/ideval/data/2000/LLS_DDOS_1.0.html
> Please send a small trace that can be used to reproduce the problem.
> Thanks.
> 		Vern

More information about the Bro mailing list