[Snort-devel] spp_flood (the importance of port connection?)

Vinay A. Mahadik VAMahadik at ...1463...
Thu Aug 8 10:18:05 EDT 2002

Cearns Angela wrote:
> For generic UDP and TCP flood detection:
> Option 1:
> -----------
> Should I differentiate the attack based on a
> particular port number? ie, should I also track the
> number of packets received at each port in order to
> raise an alert? (X packets received at Z port over Y
> time)

I think per (dip, dport) should be more effective. Are you only relying
on X/Y heuristics? That may not exist a decent X/Y rate threshold for
most networks without some sort of traffic conditioning. If you achieve
some stable incoming traffic distribution for a given (dport, dip)
combination, and place the threshold at a few standard deviations above
the average(?), a flood can still be achieved at rates slightly below
the known threshold rate for detection. Besides, a steady traffic rate
distribution typically doesn't exists (changes every hour, between days
etc). So, if you are looking for real time detection (else effects of
DoS will be felt and reported before your IDS), then you need to be
thinking 'anomaly detection' which is much more involved (and I don't
believe exists, without conditioning).

> Option 2:
> -----------
> Do I only need to consider the total number of
> incoming packets from a specific source (regardless of
> which port the packets are target at)? (X packets over
> Y time)

You will run out of state keeping track of all sources. You may confuse
scanners as flooders (policy wise, scanners may be tolerable? not
flooders). What about distributed floods?

Anyways, sorry about the pesimism, I have worked on a similar problem
for a while.. and have had some bad experiences.. I would be quite
interested in your progress.


Vinay A. Mahadik
Summer Intern
Computer Protection Program
Lawrence Berkeley National Laboratory
(510) 495 2618

More information about the Snort-devel mailing list