Educause Security Discussion mailing list archives
Re: Slow-read DOS
From: Seth Hall <seth () ICIR ORG>
Date: Sat, 21 Jan 2012 22:27:35 -0500
On Jan 17, 2012, at 3:06 PM, HOGGATT, ANDY F. wrote:
"FAKEVERB / HTTP/1.1" 301 227 http://code.google.com/p/slowhttptest/
I have a script for Bro that can detect several of the attacks that the slowhttptest can perform. Unfortunately due to an oversight in our HTTP analyzer it doesn't detect that "FAKEVERB" attack as the example command on the slowhttptest website demonstrates. I attached the script in case anyone wants to try it out. I'd also be glad to hear from anyone that is seeing these attacks! This is the first I've heard of this tool being used in the wild. .Seth
Attachment:
http-DoS-detector.bro
Description:
-- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/
Current thread:
- Slow-read DOS HOGGATT, ANDY F. (Jan 17)
- Re: Slow-read DOS Nathaniel Hall (Jan 17)
- Re: Slow-read DOS Seth Hall (Jan 21)