[Snort-users] spoof detection?

Sheahan, Paul (PCLN-NW) Paul.Sheahan at ...2218...
Tue Nov 13 14:42:03 EST 2001

I was just reading an article on "How to Spot Source Address Spoofing".
Pretty interesting. I was wondering if anyone is using Snort to try and
detect when someone spoofs their address in an attempt to denial of service
their site. It would go something like this:

*	Say my web server IP address is
*	An attacker somewhere on the Net spoofs their source address to that
of my web server (, then starts sending out packets all over
the Net on a certain port, say port 21 for example.
*	All machines on the Net receiving these packets that don't have port
21 open, respond to my web server with a RST, thinking my web server is the
source of the packets.
*	So now my web server is receiving tons of RSTs from different hosts
on the Net, where enough of them could cause a denial of service.

Is there a way to setup Snort to look for a high threshold of RSTs so I can
tell when someone might be spoofing my address and trying to cause a denial
of service on my site?


Paul Sheahan
Manager of Information Security
paul.sheahan at ...2218...

More information about the Snort-users mailing list