[Snort-users] spoof detection?

Chris Green cmg at ...671...
Tue Nov 13 17:31:02 EST 2001


"Sheahan, Paul (PCLN-NW)" <Paul.Sheahan at ...2218...> writes:

> I was just reading an article on "How to Spot Source Address Spoofing".
> Pretty interesting. I was wondering if anyone is using Snort to try and
> detect when someone spoofs their address in an attempt to denial of service
> their site. It would go something like this:
>
> *	Say my web server IP address is 200.200.200.200
> *	An attacker somewhere on the Net spoofs their source address to that
> of my web server (200.200.200.200), then starts sending out packets all over
> the Net on a certain port, say port 21 for example.
> *	All machines on the Net receiving these packets that don't have port
> 21 open, respond to my web server with a RST, thinking my web server is the
> source of the packets.
> *	So now my web server is receiving tons of RSTs from different hosts
> on the Net, where enough of them could cause a denial of service.
>
> Is there a way to setup Snort to look for a high threshold of RSTs so I can
> tell when someone might be spoofing my address and trying to cause a denial
> of service on my site?

No but the place to do that would probably be stream4.  AFAICT, its a
pretty poor DOS attack because you're only getting RST's generated
that you should ignore and the cost of injecting syns to random hosts
is costs the same as the resulting RST flood.

It would have been much more effecient to SYN flood your irc server
in the first place with spoofed IPs since the attacker already has the
ability to spoof.

In my experience, most often case of seeing these is when some poor
old irc server is getting synflooded and you see a gazillion RST's
from irc.blah.ru:6667

Is this article available online?  I would be interested to see if it
offered any other insights.
-- 
Chris Green <cmg at ...671...>
Laugh and the world laughs with you, snore and you sleep alone.




More information about the Snort-users mailing list