[Snort-users] not detecting common intrusion

Jeff Nathan jeff at ...950...
Thu Jun 27 00:51:03 EDT 2002


Cearns Angela wrote:
> 
> Thank you Erek:
> 
> I'm indeed pouring thru the doc at the snort website.
> Erek, I'm a student at the University of Colorado
> doing research on DDOS and various mitigation methods.
> I'm currently building a testbed to simulate DDoS
> attack and trying to find out a better way to respond
> to the attack. One area of my research focus is rate
> limiting. Can I ask you and the mailing list
> participants for some personal advice?
> 
> Would it be useful to add a X processor to snort to do
> a bandwidth consumption type of detection? Or is there
> a much easier way to detect "bandwidth usage beyond a
> certain threshold" that it's really not worth it to
> add it to snort?
> 
> What about adding a rate limiting capability to snort
> thru X processor as an "action" to the detection of
> "bandwidth overuse"? Will this be a useful feature or
> is it just easier for people to configrue rate
> limiting through iptables?
> 
> Erek, I don't mean to bombard you with questions but
> I've been pounding my head for weeks. Thank you so
> much for your help.
> 
> With sincere gratitude,
> Ang
> 

Ang,

Are you interested in discovering whether or not your network is being
used as part of a larger DDoS or in mitigating the effects of a DDoS/DoS
on your network?

Attempts to 'protect against' incoming DDoS and DoS at the border of a
network are basically futile.  Detection mechanisms such as flow data
off a router or raw packet per second rates coupled with some telltale
signs of DoS traffic might tell you you're under attack but there's
really nothing you can do about it at the edge of your network.  To
paraphrase something Dug Song said, it's like trying to close your mouth
when someone turns a fire hose on in front of your face.

The research on distributed DDoS detection being done at Arbor networks
seems very promising as they've been working on the problem for some
time.

Detecting outbound DDoS/DoS traffic from your network is a somewhat more
manageable task and could possibly be accomplished with snort.

-Jeff

-- 
http://jeff.wwti.com            (pgp key available)
"Common sense is the collection of prejudices acquired by age eighteen."
- Albert Einstein




More information about the Snort-users mailing list