[Bro] Bro and amplifications attacks

Seth Hall seth at icir.org
Mon Sep 15 06:24:23 PDT 2014

On Sep 8, 2014, at 7:50 PM, Michał Purzyński <michalpurzynski1 at gmail.com> wrote:

> Let's say I wanted to detect an amplification attack using DNS/SNMP/NTP. Kind of just in case the edge filters and careful configuration and scanning for vulnerabilities didn't catch everything.

Generically detecting amplification attacks seems too broadly scoped to me.  I'm not sure that I'd even know how to approach that in way that would work well.  Do you have any more concrete ideas?

> I think it might be a good use of a SumStat framework. 

I know you've been playing with SumStats a bit recently, have you tried to tackle amplification attack detection? 

> The key would be a client who has number of packets towards him counted and expired early and frequently. I see a problem here - a large number of keys.

Regarding the large number of keys, that's already happening with scan.bro.  Unfortunately I think it's mostly unavoidable but doesn't seem to cause too much trouble in practice.  Although I can see it causing problems in certain circumstances.


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

More information about the Bro mailing list