[Bro] detect Ack flooding attack
bchen at cs.ucf.edu
bchen at cs.ucf.edu
Wed May 11 19:06:39 PDT 2005
Hello everyone,
I am trying to use Bro to detect a DOS attack in a tcpdump file. This
attack uses Ack packets with spoofed random source IPs and random destination
ports to flood a remote server. I thought weird analyzer should catch this
attack. I searched all log files generated by Bro and found Bro didn't capture
any of these packets.
I have thought that Bro might drop these packets because there are no SYN
packets seen by Bro, so I run the following command:
./bro -f "(tcp and ((tcp[13] & 0x7 != 0) or (tcp[13] & 0x10 == 1)) ) or udp or
icmp" -r dos.dump mt
It unfortunately didn't work. Does anyone have any suggestion?
Thanks
Bing
More information about the Bro
mailing list