[Snort-users] LAND, TearDrop, Flooding attacks

Max Vision vision at ...4...
Thu Jul 20 16:16:06 EDT 2000


On Thu, 20 Jul 2000, Baoqing Ye wrote:
>   Can anyone tell me if or not the Snort (1.6) is able to detect :
> 1)Land attack, 2)TearDrop/Tear attack, and 3)flooding attacks, such as
> Smurf or pure Ping-flooding attacks?
> 
>    My guess is Land could be eaiser because it has obvious signature. To
> detect Tear and its variant versions it needs to do reassemblly or
> similar checking (stateful); it's more difficult. Flooding attacks have
> no obvious signatures purely from single packet analysis but to count
> the amount of packets targeting to certain node.
> 
Your guesses are correct - each of the attacks consist of more than a
single packet, and therefor are not easily identified using a typical
signature.  I would suggest a DoS plugin or integration with the
degragger, as there are about a dozen unique fragmentation-based DoS
attacks.
Max





More information about the Snort-users mailing list