[Bro] Packet scans drops

William Jones jones at tacc.utexas.edu
Tue Apr 23 08:38:41 PDT 2013


The only time I am seeing dropped packets are during attempts to us TACC to amplify dos attach very aggressive port scans.

In both cases bro  workers are being overloaded by 500kk to 1000k incoming packets.   It looks like a single worker can only handle 30K packets/sec before it reaches 100 percent cpu usage.    Is there any effort going into bro development to handle these cases.    

My only work around that I have now is to block aces to common ports  at the boarder router and opening host to vetted hosts.

Bill Jones

More information about the Bro mailing list