[Snort-users] tcp flood
mkettler at ...4108...
Mon Mar 7 10:25:15 EST 2005
At 12:19 AM 3/7/2005, Joaquin Grech wrote:
>If this can't be done with snort, is there any software to do that? I
>tried several firewalls but none had throttle handing like that per ip.
With plain IDS-mode snort you're not going to be able to block anything.
Sort can be made to block stuff using inline mode, or using one of several
add-ons. However, I've I've never run snort in inline mode, so I can't
comment on this. You'd probably want to use the classic portscan
preprocessor to do this, or use thresholding in a rule.
As for firewalls here's what I know of that can help with connection flooding:
IPTables with the "limit" extension can do this easily and with a great
deal of flexibility. You can even specify a burst connection limit before
the rate limiter engages, and an overall rate in connections per second,
minute, hour, or day.
Juniper Netscreen products can do this, but not quite the way you want.
It's the source threshold in zone screen, which specifies a per-source
connection-rate limit. Admittedly the limit is in pps, so you can't do 3
per 5 seconds, but you can do something like 3/s quite easily this way and
keep your problems at least somewhat regulated.
Cisco pix firewalls can't set a per-source limit, but can set a limit on
the total embryonic connections, and total connections per server using the
static command. This doesn't help kill an attacker, but does help put an
upper bound on the load problems. However, this has the drawback of also
limiting legitimate connections while you're being flooded. Not very useful.
More information about the Snort-users