[Bro] detect Ack flooding attack

Vern Paxson vern at icir.org
Wed May 18 11:09:23 PDT 2005


>      Thank you for your reply. I corrected this filter expression and run Bro,
> but I got the same result. I can see these spoofed source IP packets with
> Ethereal. All of them target the same host but with different destination
> ports. The TCP flag of these packets is 0x0010 (ack). I found no single log
> record was for such packets. Am I missing anything?
>      By the way, I am using the DARPA 2000 data set (Scenario one, inside
> tcpdump file). This is the link for this data:
> http://www.ll.mit.edu/IST/ideval/data/2000/LLS_DDOS_1.0.html

Please send a small trace that can be used to reproduce the problem.
Thanks.

		Vern



More information about the Bro mailing list