33ddos or 34ddos detection rule

공격특징.

HTTP Get flooding, ICMP flooding, UDP flooding 이 혼합

HTTP Get flooding 특징

1. 약 4초에 한건

2. 특정헤더 랜덤 변화 (Accept, User-Agent, Cache-Control)

3. Cache-Control의 경우 없는 패킷도 발생함 (약5%)

4. 헤더 순서 (Accept, Accept-Language, User-Agent, Accept-Encoding, Cache-Control, Proxy-Connection, Host)

탐지룰

alert tcp any any -> any $HTTP_PORT (content:”|0d0a|Cache-Control|3a20|no-store, must-revalidate”; nocase; pcre:”/^Cache\x2dControl\x3a\s+no\x2dstore\x2c\s+must\x2drevalidate/im”;)

Advertisements

About this entry