[Snort-users] tcp flood

SN ORT snort_on_acid at ...131...
Mon Mar 7 12:25:30 EST 2005


This is really a simple layer 3 issue that should be
dealt with at your perimeter, and not on IDS or even
firewall if it can be avoided.

You can rate-limit on just about any Cisco device
(including PiX) to limit DoS attacks, including TCP
SYN attacks, by using access-lists with rate-limit
commands. Look to your Internet routers to stop the
attacks.

Cheese!

Marc

> 
> Message: 1
> Date: Mon, 07 Mar 2005 13:24:41 -0500
> To: "Joaquin Grech" <joaco at ...13133...>,
> <snort-users at lists.sourceforge.net>
> From: Matt Kettler <mkettler at ...4108...>
> Subject: Re: [Snort-users] tcp flood
> 
> At 12:19 AM 3/7/2005, Joaquin Grech wrote:
> >If this can't be done with snort, is there any
> software to do that? I 
> >tried several firewalls but none had throttle
> handing like that per ip.
> 
> With plain IDS-mode snort you're not going to be
> able to block anything. 
> Sort can be made to block stuff using inline mode,
> or using one of several 
> add-ons. However, I've  I've never run snort in
> inline mode, so I can't 
> comment on this. You'd probably want to use the
> classic portscan 
> preprocessor to do this, or use thresholding in a
> rule.
> 
> 
> As for firewalls here's what I know of that can help
> with connection flooding:
> 
> IPTables with the "limit" extension can do this
> easily and with a great 
> deal of flexibility. You can even specify a burst
> connection limit before 
> the rate limiter engages, and an overall rate in
> connections per second, 
> minute, hour, or day.
> 
> Juniper Netscreen products can do this, but not
> quite the way you want. 
> It's the source threshold in zone screen, which
> specifies a per-source 
> connection-rate limit. Admittedly the limit is in
> pps, so you can't do 3 
> per 5 seconds, but you can do something like 3/s
> quite easily this way and 
> keep your problems at least somewhat regulated.
> 
> Cisco pix firewalls can't set a per-source limit,
> but can set a limit on 
> the total embryonic connections, and total
> connections per server using the 
> static command. This doesn't help kill an attacker,
> but does help put an 
> upper bound on the load problems. However, this has
> the drawback of also 
> limiting legitimate connections while you're being
> flooded. Not very useful.
> 
> 
> 
> --__--__--
> 
> Message: 2
> Date: Fri, 4 Mar 2005 11:49:59 -0700
> From: "Michael Graybill"
> <mgraybill at ...13139...>
> To: <snort-users at lists.sourceforge.net>
> Subject: [Snort-users] Help with Base ????
> 
> This is a multi-part message in MIME format.
> 
> ------_=_NextPart_001_01C520EA.F7FE7337
> Content-Type: text/plain;
> 	charset="us-ascii"
> Content-Transfer-Encoding: quoted-printable
> 
> Ok I installed snort and Base. I do have stuff in
> the logs
> (/var/log/snort/alert) but when I log into Base, It
> isn't pulling
> anything from the logs. Can someone help me fix
> this?
> 
> =20
> 
> TIA,
> 
> =20
> 
> Michael
> 
> 
> ------_=_NextPart_001_01C520EA.F7FE7337
> Content-Type: text/html;
> 	charset="us-ascii"
> Content-Transfer-Encoding: quoted-printable
> 
> <html
> xmlns:o=3D"urn:schemas-microsoft-com:office:office"
> =
> xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
> xmlns=3D"http://www.w3.org/TR/REC-html40">
> 
> <head>
> <META HTTP-EQUIV=3D"Content-Type"
> CONTENT=3D"text/html; =
> charset=3Dus-ascii">
> <meta name=3DGenerator content=3D"Microsoft Word 11
> (filtered medium)">
> <style>
> <!--
>  /* Style Definitions */
>  p.MsoNormal, li.MsoNormal, div.MsoNormal
> 	{margin:0in;
> 	margin-bottom:.0001pt;
> 	font-size:12.0pt;
> 	font-family:"Times New Roman";}
> a:link, span.MsoHyperlink
> 	{color:blue;
> 	text-decoration:underline;}
> a:visited, span.MsoHyperlinkFollowed
> 	{color:purple;
> 	text-decoration:underline;}
> span.EmailStyle17
> 	{mso-style-type:personal-compose;
> 	font-family:Arial;
> 	color:windowtext;}
> @page Section1
> 	{size:8.5in 11.0in;
> 	margin:1.0in 1.25in 1.0in 1.25in;}
> div.Section1
> 	{page:Section1;}
> -->
> </style>
> 
> </head>
> 
> <body lang=3DEN-US link=3Dblue vlink=3Dpurple>
> 
> <div class=3DSection1>
> 
> <p class=3DMsoNormal><font size=3D2
> face=3DArial><span =
> style=3D'font-size:10.0pt;
> font-family:Arial'>Ok I installed snort and Base. I
> do have stuff in the =
> logs
> (/var/log/snort/alert) but when I log into Base, It
> isn’t pulling
> anything from the logs. Can someone help me fix =
> this?<o:p></o:p></span></font></p>
> 
> <p class=3DMsoNormal><font size=3D2
> face=3DArial><span =
> style=3D'font-size:10.0pt;
>
font-family:Arial'><o:p> </o:p></span></font></p>
> 
> <p class=3DMsoNormal><font size=3D2
> face=3DArial><span =
> style=3D'font-size:10.0pt;
> font-family:Arial'>TIA,<o:p></o:p></span></font></p>
> 
> <p class=3DMsoNormal><font size=3D2
> face=3DArial><span =
> style=3D'font-size:10.0pt;
>
font-family:Arial'><o:p> </o:p></span></font></p>
> 
> 
=== message truncated ===


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 




More information about the Snort-users mailing list