[Bro] detect Ack flooding attack
bchen at cs.ucf.edu
bchen at cs.ucf.edu
Wed May 18 11:01:43 PDT 2005
Hi Vern,
Thank you for your reply. I corrected this filter expression and run Bro,
but I got the same result. I can see these spoofed source IP packets with
Ethereal. All of them target the same host but with different destination
ports. The TCP flag of these packets is 0x0010 (ack). I found no single log
record was for such packets. Am I missing anything?
By the way, I am using the DARPA 2000 data set (Scenario one, inside
tcpdump file). This is the link for this data:
http://www.ll.mit.edu/IST/ideval/data/2000/LLS_DDOS_1.0.html
thank you for your time.
Bing
Quoting Vern Paxson <vern at icir.org>:
>> ./bro -f "(tcp and ((tcp[13] & 0x7 != 0) or (tcp[13] & 0x10 == 1)) )
>> or udp or
>
> The second test you give, for capturing ACK packets, is incorrect.
> It needs to be
>
> (tcp[13] & 0x10 == 0x10)
>
> - Vern
>
More information about the Bro
mailing list