[Bro] bro policy to identify memcached attacks/participation
pssunu6 at gmail.com
Tue Mar 6 21:58:28 PST 2018
after activating this script i am getting below warning and bro not
lines 41-42: multiple initializations for index (188.8.131.52/27)
lines 57-58: multiple initializations for index (184.108.40.206/26)
lines 70-71: multiple initializations for index (220.127.116.11/24)
On Sat, Mar 3, 2018 at 4:04 AM, Azoff, Justin S <jazoff at illinois.edu> wrote:
> Neat. I kind of have a generic version of this that detects any udp
> reflection attack, at least the ones we have seen.
> I've been meaning to make a package for it, I just want to generate some
> tests first.
> From research I've done, other than a few endpoints like VPN boxes that
> can be whitelisted and bittorrent
> uTP users, any large inbound or outbound udp flows are DoS attacks,
> especially when orig_h is remote.
> Justin Azoff
> > On Mar 2, 2018, at 4:37 PM, Scott Campbell <scottc at es.net> wrote:
> > We have put together some sample bro policy that might be useful in
> > 1) memcached instances with publicly available TCP ports.
> > 2) UDP connection attempts to 11211/udp.
> > 3) excessive outbound traffic from an IP that has previously had an
> inbound memcached 'get' request from outside the local address space.
> > This code is a little green, but can be used to keep an eye on your
> local network as this problem evolves.
> > Repo can be found here:
> > https://github.com/set-element/bro_memcached_detect
> > If you have any questions please let me know and I will do what I can to
> help. As well, any changes or improvements will be gladly integrated into
> the code as well.
> > Feel free to share with anyone as this is public information.
> > Many thanks!
> > scott
> > -----
> > Scott Campbell
> > ESnet Security Analyst
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> Bro mailing list
> bro at bro-ids.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro