[Bro] detect Ack flooding attack
bchen at cs.ucf.edu
bchen at cs.ucf.edu
Wed May 18 12:06:21 PDT 2005
Hi Vern,
The attachment is a small trace file. thanks
Bing
Quoting Vern Paxson <vern at icir.org>:
>> Thank you for your reply. I corrected this filter expression
>> and run Bro,
>> but I got the same result. I can see these spoofed source IP packets with
>> Ethereal. All of them target the same host but with different destination
>> ports. The TCP flag of these packets is 0x0010 (ack). I found no single log
>> record was for such packets. Am I missing anything?
>> By the way, I am using the DARPA 2000 data set (Scenario one, inside
>> tcpdump file). This is the link for this data:
>> http://www.ll.mit.edu/IST/ideval/data/2000/LLS_DDOS_1.0.html
>
> Please send a small trace that can be used to reproduce the problem.
> Thanks.
>
> Vern
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smalltrace
Type: application/octet-stream
Size: 7574 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20050518/78b6b5d6/attachment.obj
More information about the Bro
mailing list