[Bro] bro policy to identify memcached attacks/participation

ps sunu pssunu6 at gmail.com
Tue Mar 6 21:58:28 PST 2018


after activating this script i am getting below warning and bro not
starting

warning in
/opt/data/behavior/spool/tmp/check-config-worker-1-1/local-networks.bro,
lines 41-42: multiple initializations for index (207.17.136.32/27)
warning in
/opt/data/behavior/spool/tmp/check-config-worker-1-1/local-networks.bro,
lines 57-58: multiple initializations for index (207.17.136.64/26)
warning in
/opt/data/behavior/spool/tmp/check-config-worker-1-1/local-networks.bro,
lines 70-71: multiple initializations for index (207.17.137.0/24)


On Sat, Mar 3, 2018 at 4:04 AM, Azoff, Justin S <jazoff at illinois.edu> wrote:

> Neat.  I kind of have a generic version of this that detects any udp
> reflection attack, at least the ones we have seen.
>
> I've been meaning to make a package for it, I just want to generate some
> tests first.
>
> From research I've done, other than a few endpoints like VPN boxes that
> can be whitelisted and bittorrent
> uTP users, any large inbound or outbound udp flows are DoS attacks,
> especially when orig_h is remote.
>
>> Justin Azoff
>
> > On Mar 2, 2018, at 4:37 PM, Scott Campbell <scottc at es.net> wrote:
> >
> > We have put together some sample bro policy that might be useful in
> identifying:
> >
> > 1) memcached instances with publicly available TCP ports.
> > 2) UDP connection attempts to 11211/udp.
> > 3) excessive outbound traffic from an IP that has previously had an
> inbound memcached 'get' request from outside the local address space.
> >
> > This code is a little green, but can be used to keep an eye on your
> local network as this problem evolves.
> >
> > Repo can be found here:
> >
> > https://github.com/set-element/bro_memcached_detect
> >
> > If you have any questions please let me know and I will do what I can to
> help.  As well, any changes or improvements will be gladly integrated into
> the code as well.
> >
> > Feel free to share with anyone as this is public information.
> >
> > Many thanks!
> > scott
> >
> > -----
> > Scott Campbell
> > ESnet Security Analyst
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180307/2ff513f4/attachment.html 


More information about the Bro mailing list