[Bro] SYN/ACK Attack
Robin Sommer
robin at icir.org
Mon Jul 25 08:18:16 PDT 2016
On Sun, Jul 24, 2016 at 11:01 -0400, Tim Desrochers wrote:
> I have been seeing A LOT of SYN/ACK attacks lately on my net and it seems
> that every time Bro is switching the orig and resp IP's.
Bro has a few heuristics when to flip the endpoints. The main one is
that when it misses the initial SYN but the SYN/ACK is coming *from* a
well-known server port, it assumes it's seeing a responder-side
packet. This table determines what Bro considers a server port:
https://www.bro.org/sphinx/scripts/base/init-bare.bro.html#id-likely_server_ports
To help spot cases where the direction got slipped, master recently
got a feature that now adds a '^' flag to the connection history in
these cases.
Robin
--
Robin Sommer * ICSI/LBNL * robin at icir.org * www.icir.org/robin
More information about the Bro
mailing list