[Bro-Dev] Yet another thing to detect
Seth Hall
seth at icir.org
Tue Nov 16 13:53:26 PST 2010
This should be easy to write a detection script for...
http://chaptersinwebsecurity.blogspot.com/2010/11/universal-http-dos-are-you-dead-yet.html
It's a tool that implements the recently discussed slow POST http DoS attack. The client sends a long-ish Content-Length header (maybe even just 1000) and then every 15 seconds or so, sends a byte of data. It takes a long time to send the entire 1000 bytes and the web server will sit there waiting for all of the data so it's very easy to exhaust resources on the server.
.Seth
More information about the bro-dev
mailing list