[Snort-users] udpflood attack !
mkettler at ...4108...
Thu Apr 17 08:11:12 EDT 2003
At 09:20 PM 4/17/2003 +0800, Liuhy wrote:
>I am a newbie in using snort, I have a question to ask:
>I used an application named "udpflood.exe" which send udp packet to the
>host that snort is running, and
>I don't change the snort.conf file. But snort cann't find this attack,
>don't give any alert in alert file.
Well, first I'd be hard pressed to call a simple UDP flood an attack, it's
more like an "over use of the network" which is a VERY ineffective and
pathetic attempt to DoS a network which rarely works. Did this "attack"
actually succeed in doing anything to the snort box?
Also realize that if a simple single-source flood comes in over the
internet, it's going to be much slower, as it will be limited by their link
to the internet. Even if your attacker has a lot of bandwidth (ie: a t3) to
flood you with, the problem is easily alleviated by getting your ISP to
block their packets. Since it's from a single source, this is trivial for
them to do.
The fact that snort doesn't detect a trivial attack which is just as hard
on the attacker as the person attacked doesn't really bother me. These
attacks are so non-effective that they're pretty much nonexistant these
days, other than someone flooding a dial-up user (they have so little
network bandwidth on that 56k modem that flooding them is easy and it
becomes practical to do).
As for how to detect it... what might be a flood of UDP traffic to you,
might be routine for me, and a root server operator would be alarmed that
the traffic level was too _LOW_. So just how many packets per second
constitutes a flood?
spp_portscan2 can detect some kinds of floods, but it's really more likely
to detect the ones that can actually do damage to a network from the
internet. Things like fraggles, DDOS floods and synfloods don't consume an
absurd amount of bandwidth at the sender's side and can cripple your
network. Since there are either lots of ports or lots of sources involved
in these attacks, they stick out quite nicely.
The Spade add-on may also detect some kinds of single-source single-port
floods based on what port they target.. if it's a really unusual port and
isn't typical of traffic in/out of your network, it can alert.
>Thanks and regards!
More information about the Snort-users