[Bro] Bro and amplifications attacks

Michał Purzyński michalpurzynski1 at gmail.com
Mon Sep 8 16:50:55 PDT 2014


Let's say I wanted to detect an amplification attack using DNS/SNMP/NTP.
Kind of just in case the edge filters and careful configuration and
scanning for vulnerabilities didn't catch everything.

Bro has analyzers for DNS/SNMP/NTP. A few months ago it was monlist it NTP,
someone might come up with something else another day.

I think it might be a good use of a SumStat framework. The key would be a
client who has number of packets towards him counted and expired early and
frequently. I see a problem here - a large number of keys.

Also, I don't mind when a single client sends me 100 requests and gets 150
packets of answers, but I do if he sends 1 packet and gets 10 in return
every time.

Quite a field for false positives here.

Any ideas how to correlate it?

Michał Purzyński
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140908/ea1771c0/attachment.html 

More information about the Bro mailing list