[Snort-users] Idea for a Denial of Service against Snort

Erich Meier Erich.Meier at ...99...
Thu Jul 20 06:13:21 EDT 2000


On Thu, Jul 20, 2000 at 11:56:14AM +0200, Andrea Barisani wrote:
> Hi!
> 
> Recently I was thinking about a denial of service against machine that are
> using snort and I came up with this strange idea.
> 
> If i create a set of scripts or a program that would read a snort rules
> file and would flood some host with all the packets that matchs the
> entries of that rules-file I can create a LOT of work for the logging
> system of snort. I guess that flooding for just a minute could cause
> several problems even on fast machines.
> I have not yet test that, mainly because I haven't the time to build the
> program but I wonder if there is someone who wants to try that.
> 
> Maybe could be useful an option in snort that limits the rate of events
> logged per second...
> 
> What do you think?

I think the problem lies not within snort. It really can keep up with a high
frequecy of alarms, even without binary logging and fast alerts. Do you really
want to drop alerts at the very first stage?

IMHO the problem lies in the rest of the alarm chain. Syslogds could be swamped.
Lots of sysadmins watch their logfiles with swatch or logsurfer and send alerts
by email. And that's the real danger. With a slow mail delivery system or if
the recipients use some kind of filtering system (e.g. procmail) the mailserver
goes south.

Been there, done that. :-(((

So a rate limiting system for swatch et al. would be far more effective.

Erich




More information about the Snort-users mailing list