[Bro-Dev] Yet another thing to detect

Seth Hall seth at icir.org
Tue Nov 16 13:53:26 PST 2010

This should be easy to write a detection script for...


It's a tool that implements the recently discussed slow POST http DoS attack.  The client sends a long-ish Content-Length header (maybe even just 1000) and then every 15 seconds or so, sends a byte of data.  It takes a long time to send the entire 1000 bytes and the web server will sit there waiting for all of the data so it's very easy to exhaust resources on the server.


More information about the bro-dev mailing list