[Bro] Slow-motion DoS attack

Will baxterw3232 at gmail.com
Sat Jan 7 14:00:00 PST 2012


Hi All,

I was wondering if anyone has set anything up in Bro to monitor their web
servers for this style of attack. They recommend or caution against the use
of IPS' for blocking this attack as the false positive rate can be fairly
high for users with on a slow connection. Being that Bro can monitor and
maintain the state of a connection for a long time, I imagine it would be
perfect for this. Looking for lengthy connections with abnormally small
header request sizes sounds like it might be the best way to detect these.
Of course, there are likely outliers, but I imagine legitimate use could be
identified and whitelisted fairly easily.

http://arstechnica.com/business/news/2012/01/new-slow-motion-dos-attack-just-a-few-pcs-little-fear-of-detection.ars
https://community.qualys.com/blogs/securitylabs/2011/07/07/identifying-slow-http-attack-vulnerabilities-on-web-applications
https://community.qualys.com/blogs/securitylabs/2011/11/02/how-to-protect-against-slow-http-attacks

Thanks in advance for any feedback!

-Will
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20120107/1d3e88f3/attachment.html 


More information about the Bro mailing list