[Bro] Bro and flood protection

Benson Mathews benson.mathews at gmail.com
Tue Feb 18 09:50:17 PST 2014 

Hi Robin,

Thanks for the response. I've modified the script slightly and commented
out the install and uninstall addr_filters. See attached.

I tried running the script against a sample pcap that I generated using
hping3 (hping3 --rand-source 192.168.146.130 --flood -S -L 0 -p 80) and it
seemed to be logging the SYN attack alerts in the notice logs, atleast the
start of the attack:
1392741015.684576       -       -       -       -       -       -
-       -       -       SynFloodStart   Start of syn-flood against
192.168.146.130; sampling packets now        -       192.168.146.130
-       -       -       bro Notice::ACTION_LOG       3600.000000
F       -       -       -       -       -
1392741015.740914       -       -       -       -       -       -
-       -       -       SynFloodStart   Start of syn-flood against
192.168.146.130; sampling packets now        -       192.168.146.130
-       -       -       bro Notice::ACTION_LOG       3600.000000
F       -       -       -       -       -
1392741015.797104       -       -       -       -       -       -
-       -       -       SynFloodStart   Start of syn-flood against
192.168.146.130; sampling packets now        -       192.168.146.130
-       -       -       bro Notice::ACTION_LOG       3600.000000
F       -       -       -       -       -


But I also keep getting several runtime errors: *no such index
(current_victims[ip]) *on line 66 of the attached script. And I'm not sure
how to fix this. Any thoughts?


Thanks,
Benson



On Wed, Jan 29, 2014 at 6:29 PM, Robin Sommer <robin at icir.org> wrote:

>
>
> On Wed, Jan 29, 2014 at 14:14 -0500, you wrote:
>
> > synflood script that was provided on previous versions of Bro. Wondering
> if
> > there's something similar on Bro 2.2 or if the 1.5.x version would still
> > work?
>
> As far as I recall, the 1.5 script should still work.
>
> Robin
>
> --
> Robin Sommer * Phone +1 (510) 722-6541 *     robin at icir.org
> ICSI/LBNL    * Fax   +1 (510) 666-2956 * www.icir.org/robin
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140218/aef04a88/attachment.html 
-------------- next part --------------
export {
	redef enum Notice::Type += {
	SynFloodStart,    # start of syn-flood against a certain victim
	SynFloodEnd,      # end of syn-flood against a certain victim
	SynFloodStatus,   # report of ongoing syn-flood
	};


# We report a syn-flood if more than SYNFLOOD_THRESHOLD new connections
# have been reported within the last SYNFLOOD_INTERVAL for a certain IP.
# (We sample the conns by one out of SYNFLOOD_SAMPLE_RATE, so the attempt
# counter is an estimated value.). If a victim is identified, we install a
# filter via install_dst_filter and sample the packets targeting it by
# SYNFLOOD_VICTIM_SAMPLE_RATE.
#
# Ongoing syn-floods are reported every SYNFLOOD_REPORT_INTERVAL.

global SYNFLOOD_THRESHOLD = 15000 &redef;
global SYNFLOOD_INTERVAL = 60 secs &redef;
global SYNFLOOD_REPORT_INTERVAL = 1 mins &redef;

# Sample connections by one out of x.
global SYNFLOOD_SAMPLE_RATE = 100 &redef;

# Sample packets to known victims with probability x.
global SYNFLOOD_VICTIM_SAMPLE_RATE = 0.01 &redef;

global conn_attempts: table[addr] of count &default = 0;
global victim_attempts: table[addr,addr] of count
	&default = 0  &read_expire = 5mins;

# We remember up to this many number of sources per victim.
global max_sources = 100;
global current_victims: table[addr] of set[addr] &read_expire = 60mins;
global accumulated_conn_attempts: table[addr] of count &default = 0;

global sample_count = 0;
global interval_start: time = 0;
}

# Using new_connection() can be quite expensive but connection_attempt() has
# a rather large lag that may lead to detecting flood too late. Additionally,
# it does not cover UDP/ICMP traffic.
event new_connection(c: connection)
	{
	if ( c$id$resp_h in current_victims )
		{
		++conn_attempts[c$id$resp_h];

		local srcs = current_victims[c$id$resp_h];
		if ( |srcs| < max_sources )
			add srcs[c$id$orig_h];
		return;
		}

	if ( ++sample_count % SYNFLOOD_SAMPLE_RATE == 0 )
		{
		local ip = c$id$resp_h;

		if ( ++conn_attempts[ip] * SYNFLOOD_SAMPLE_RATE >
		     SYNFLOOD_THRESHOLD )
			{
			NOTICE([$note=SynFloodStart, $src=ip,
				   $msg=fmt("Start of syn-flood against %s; sampling packets now", ip)]);

			add current_victims[ip][c$id$orig_h];

			# Drop most packets to victim.
			#install_dst_addr_filter(ip, 0,
			#		1 - SYNFLOOD_VICTIM_SAMPLE_RATE);
			# Drop all packets from victim.
			#install_src_addr_filter(ip, 0, 1.0);
			}
		}
	}

event check_synflood()
	{
	for ( ip in current_victims )
		{
		accumulated_conn_attempts[ip] =
			accumulated_conn_attempts[ip] + conn_attempts[ip];

		if ( conn_attempts[ip] * (1 / SYNFLOOD_VICTIM_SAMPLE_RATE) <
		     SYNFLOOD_THRESHOLD )
			{
			NOTICE([$note=SynFloodEnd, $src=ip, $n=|current_victims[ip]|,
				   $msg=fmt("end of syn-flood against %s; stopping sampling",
					ip)]);
 
			delete current_victims[ip];
			#uninstall_dst_addr_filter(ip);
			#uninstall_src_addr_filter(ip);
			}
		}

	clear_table(conn_attempts);
	schedule SYNFLOOD_INTERVAL { check_synflood() };
	}

event report_synflood()
	{
	for ( ip in current_victims )
		{
		local est_num_conn = accumulated_conn_attempts[ip] *
					(1 / SYNFLOOD_VICTIM_SAMPLE_RATE);

		local interv: interval;

		if ( interval_start != 0 )
			interv = network_time() - interval_start;
		else
			interv = SYNFLOOD_INTERVAL;

		NOTICE([$note=SynFloodStatus, $src=ip, $n=|current_victims[ip]|,
			   $msg=fmt("syn-flood against %s; estimated %.0f connections in last %s",
				    ip, est_num_conn, interv)]);
		}

	clear_table(accumulated_conn_attempts);

	schedule SYNFLOOD_REPORT_INTERVAL { report_synflood() };
	interval_start = network_time();
	}

event bro_init()
	{
	schedule SYNFLOOD_INTERVAL { check_synflood() };
	schedule SYNFLOOD_REPORT_INTERVAL { report_synflood() };
	}

More information about the Bro mailing list