[Bro] Bro and amplifications attacks
michalpurzynski1 at gmail.com
Mon Sep 8 16:50:55 PDT 2014
Let's say I wanted to detect an amplification attack using DNS/SNMP/NTP.
Kind of just in case the edge filters and careful configuration and
scanning for vulnerabilities didn't catch everything.
Bro has analyzers for DNS/SNMP/NTP. A few months ago it was monlist it NTP,
someone might come up with something else another day.
I think it might be a good use of a SumStat framework. The key would be a
client who has number of packets towards him counted and expired early and
frequently. I see a problem here - a large number of keys.
Also, I don't mind when a single client sends me 100 requests and gets 150
packets of answers, but I do if he sends 1 packet and gets 10 in return
Quite a field for false positives here.
Any ideas how to correlate it?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro