[Snort-sigs] I need a rule for synk4.c attack

Ali BASEL alib at ...505...
Thu Apr 11 07:41:47 EDT 2002


I am attaching the synk4.c code.
Run it without giving a port range, like that:
# ./syn4k destination_ip 80 80
(if you haven't enabled syncookies in your redhat or any other 
distrubition, it can make busy the apache web service)

I have tried several sleep times in the code... usleep(xxx);


Chris Green wrote:

> Ali BASEL <alib at ...505...> writes:
>>But, I wonder why snort can not detect it when there is no FIN bit ?
> A syn flooder is a rate limiting problem and is something we don't
> detect very well at the moment that and the best you can do is do rate
> std deviation of syns detected
>>What should I do ?
>>P.S.: If you want, I can send the program also (synk4.c).
> yes please do so we can look at the source and see if it has any
> problems that allow it to be detected easily.. 


Sabanci University
IT Dept.
Tel: +90 216 483 91 94
-------------- next part --------------
A non-text attachment was scrubbed...
Name: synk4.c.tar.z
Type: application/x-compress
Size: 3220 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20020411/c82dc5f0/attachment.bin>

More information about the Snort-sigs mailing list