Educause Security Discussion mailing list archives

Re: Slow-read DOS

From: Seth Hall <seth () ICIR ORG>
Date: Sat, 21 Jan 2012 22:27:35 -0500


On Jan 17, 2012, at 3:06 PM, HOGGATT, ANDY F. wrote:

"FAKEVERB / HTTP/1.1" 301 227 http://code.google.com/p/slowhttptest/


I have a script for Bro that can detect several of the attacks that the slowhttptest can perform.  Unfortunately due to 
an oversight in our HTTP analyzer it doesn't detect that "FAKEVERB" attack as the example command on the slowhttptest 
website demonstrates.  I attached the script in case anyone wants to try it out.

I'd also be glad to hear from anyone that is seeing these attacks!  This is the first I've heard of this tool being 
used in the wild.

  .Seth

Attachment: http-DoS-detector.bro
Description:



--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/

Current thread:

Slow-read DOS HOGGATT, ANDY F. (Jan 17)
- Re: Slow-read DOS Nathaniel Hall (Jan 17)
- Re: Slow-read DOS Seth Hall (Jan 21)