[Emerging-Sigs] WS-Discovery Reflective DDoS
jake.warren at masergy.com
Wed Aug 28 10:34:09 HDT 2019
Submitting a rough rule for WSDD reflective DDoS attacks. I could use some
help testing/refining the rule. I would also like to have a rule to detect
devices responding & participating in the attack but I am not sure the best
way to go about it; maybe trigger on services responding with multiple
fault messages, or SOAP messages to outbound service ports (1:1024).
# NOTE: needs testing to determine threshold
alert udp $EXTERNAL_NET any -> $HOME_NET 3702 (msg:"WSDD DDoS Amp In
(PoC-based)"; dsize:3; content:"|3c aa 3e|"; reference:url,
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Emerging-sigs