[Snort-users] udpflood attack !

Matt Kettler mkettler at ...4108...
Thu Apr 17 08:11:12 EDT 2003


At 09:20 PM 4/17/2003 +0800, Liuhy wrote:
>Hello, everyone,
>
>I am a newbie in using snort, I have a question to ask:
>
>I used an application named "udpflood.exe" which send udp packet to the 
>host that snort is running, and
>I don't change the snort.conf file. But snort cann't find this attack, 
>don't give any alert in alert file.
>
>Why?

Well, first I'd be hard pressed to call a simple UDP flood an attack, it's 
more like an "over use of the network" which is a VERY ineffective and 
pathetic attempt to DoS a network which rarely works.  Did this "attack" 
actually succeed in doing anything to the snort box?

Also realize that if a simple single-source flood comes in over the 
internet, it's going to be much slower, as it will be limited by their link 
to the internet. Even if your attacker has a lot of bandwidth (ie: a t3) to 
flood you with, the problem is easily alleviated by getting your ISP to 
block their packets. Since it's from a single source, this is trivial for 
them to do.

The fact that snort doesn't detect a trivial attack which is just as hard 
on the attacker as the person attacked doesn't really bother me. These 
attacks are so non-effective that they're pretty much nonexistant these 
days, other than someone flooding a dial-up user (they have so little 
network bandwidth on that 56k modem that flooding them is easy and it 
becomes practical to do).

As for how to detect it... what might be a flood of UDP traffic to you, 
might be routine for me, and a root server operator would be alarmed that 
the traffic level was too _LOW_. So just how many packets per second 
constitutes a flood?

spp_portscan2 can detect some kinds of floods, but it's really more likely 
to detect the ones that can actually do damage to a network from the 
internet. Things like fraggles, DDOS floods and synfloods don't consume an 
absurd amount of bandwidth at the sender's side and can cripple your 
network. Since there are either lots of ports or lots of sources involved 
in these attacks, they stick out quite nicely.

The Spade add-on may also detect some kinds of single-source single-port 
floods based on what port they target.. if it's a really unusual port and 
isn't typical of traffic in/out of your network, it can alert.



>
>Thanks and regards!

You're welcome.





More information about the Snort-users mailing list