[Bro] Slow-motion DoS attack

Seth Hall seth at icir.org
Sat Jan 7 20:58:46 PST 2012

On Jan 7, 2012, at 5:00 PM, Will wrote:

> I was wondering if anyone has set anything up in Bro to monitor their web servers for this style of attack.

I have a script. :)

I've been working on this for a little while already, but I'm still expanding it to work against some of the newer attacks like the one that takes advantage of TCP window sizes to execute a slow read attack.  The script still kind of sucks and has false positives in a few cases (and I'm sure false negatives as well), but I'm slowly working on getting those ironed out.

If you'd like a copy of my script to try, let me know and I can get it over to you.


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

More information about the Bro mailing list