[Bro] detect Ack flooding attack
bchen at cs.ucf.edu
bchen at cs.ucf.edu
Mon May 23 19:52:52 PDT 2005
Hi Vern,
I have an interesting finding about the problem I met. It was the backdoor
analyzer that prevented those ack flooding packets from logging. If I load the
backdoor.bro into mt.bro and run bro to read tcpdump file (command line: ./bro
-r 2000.dump mt), those ack flooding entries are missing in conn.log and
weird.log. If I unload the backdoor.bro from mt.bro and run bro, those ack
flooding packets are logged in conn.log and weird.log. The interesting
thing is
these ack flooding packets are sent by a backdoor program (Mstream DDOS
tool). I
don't understand why the backdoor analyzer blocks the logging of these
packets.
By the way, the latest version just released looks much slower than previous
version in my machine (Linux).
Bing
Quoting Vern Paxson <vern at icir.org>:
>> Thank you for your reply. I corrected this filter expression
>> and run Bro,
>> but I got the same result. I can see these spoofed source IP packets with
>> Ethereal. All of them target the same host but with different destination
>> ports. The TCP flag of these packets is 0x0010 (ack). I found no single log
>> record was for such packets. Am I missing anything?
>> By the way, I am using the DARPA 2000 data set (Scenario one, inside
>> tcpdump file). This is the link for this data:
>> http://www.ll.mit.edu/IST/ideval/data/2000/LLS_DDOS_1.0.html
>
> Please send a small trace that can be used to reproduce the problem.
> Thanks.
>
> Vern
>
More information about the Bro
mailing list