[Bro] Slow-motion DoS attack

Seth Hall seth at icir.org
Mon Jan 9 05:36:45 PST 2012

On Jan 9, 2012, at 6:07 AM, Liam Randall wrote:

> I would be interested in the script as well.  We will be running a BRO
> box out at Shmoocon this year and I'm _sure_ we'll see some interesting
> traffic.

Cool!  It's attached.  

It currently detects the slow body and slow headers attacks from the slowhttptest tool.  It doesn't detect range attacks yet, but that should be easy to add.  We may be able to make it detect slow read attacks with 2.1 once we get the new tcp stats analyzer integrated since that's not even technically an HTTP attack (it's a tcp attack).

I know that it currently has some false positives and generally isn't written very well.  If anyone encounters any false positives, please let me know.  I'd like to understand all of cases where false positives happen.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: http-DoS-detector.bro
Type: application/octet-stream
Size: 2445 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20120109/84fdf6c0/attachment.obj 
-------------- next part --------------


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

More information about the Bro mailing list