[Snort-users] DOS rules for Nimda

Richard Ellerbrock richarde at ...6992...
Thu Sep 26 07:52:04 EDT 2002


Thanks for the pointer, but only really this is applicable:

    *  Rate-limit TCP synchronize/start (SYN) packets. This does not
protect a host, but it allows your network to run in a degraded manner
and still remain up. By rate-limiting SYNs, you are throwing away
packets that exceed a certain rate, so some TCP connections will get
through, but not all.

As stated in my other note, the problem that I have is the denial of
service associated with the scanning for new hosts to infect. They do
not mention in the doc how to actaully do the TCP rate limiting - this
is a cisco site, but I am not really a cisco expert.

>>> "Tudor Panaitescu" <tpanaitescu at ...2032...> 2002/09/26 04:37:48
>>>




Even Better (assuming that you have Cisco):

http://www.cisco.com/warp/public/63/nimda.shtml 

Enjoy,
T
|-------+------------------------------------------------------|
|       |                                                      |
|-------+------------------------------------------------------|
|   To: |   "Richard Ellerbrock" <richarde at ...6992...>,       |
|       |   snort-users at lists.sourceforge.net                  |
|-------+------------------------------------------------------|
|   cc: |   (bcc: Tudor Panaitescu/ColorconUS)                 |
|-------+------------------------------------------------------|
|       |                                                      |
|-------+------------------------------------------------------|
|   Subj|   RE: [Snort-users] DOS rules for Nimda              |
|   ect:|                                                      |
|       |                                                      |
|-------+------------------------------------------------------|










[IMAGE]
First things first, forget intrusion detection. 




More information about the Snort-users mailing list