[Snort-users] tcp flood

Matt Kettler mkettler at ...4108...
Mon Mar 7 10:25:15 EST 2005

At 12:19 AM 3/7/2005, Joaquin Grech wrote:
>If this can't be done with snort, is there any software to do that? I 
>tried several firewalls but none had throttle handing like that per ip.

With plain IDS-mode snort you're not going to be able to block anything. 
Sort can be made to block stuff using inline mode, or using one of several 
add-ons. However, I've  I've never run snort in inline mode, so I can't 
comment on this. You'd probably want to use the classic portscan 
preprocessor to do this, or use thresholding in a rule.

As for firewalls here's what I know of that can help with connection flooding:

IPTables with the "limit" extension can do this easily and with a great 
deal of flexibility. You can even specify a burst connection limit before 
the rate limiter engages, and an overall rate in connections per second, 
minute, hour, or day.

Juniper Netscreen products can do this, but not quite the way you want. 
It's the source threshold in zone screen, which specifies a per-source 
connection-rate limit. Admittedly the limit is in pps, so you can't do 3 
per 5 seconds, but you can do something like 3/s quite easily this way and 
keep your problems at least somewhat regulated.

Cisco pix firewalls can't set a per-source limit, but can set a limit on 
the total embryonic connections, and total connections per server using the 
static command. This doesn't help kill an attacker, but does help put an 
upper bound on the load problems. However, this has the drawback of also 
limiting legitimate connections while you're being flooded. Not very useful.

More information about the Snort-users mailing list