[Bro] Packet scans drops
jones at tacc.utexas.edu
Tue Apr 23 08:38:41 PDT 2013
The only time I am seeing dropped packets are during attempts to us TACC to amplify dos attach very aggressive port scans.
In both cases bro workers are being overloaded by 500kk to 1000k incoming packets. It looks like a single worker can only handle 30K packets/sec before it reaches 100 percent cpu usage. Is there any effort going into bro development to handle these cases.
My only work around that I have now is to block aces to common ports at the boarder router and opening host to vetted hosts.
More information about the Bro