[Snort-users] tcp flood

Joaquin Grech joaco at ...13133...
Mon Mar 7 17:17:28 EST 2005


I am checking your solutions. I am looking into a way to do the limit
through IPTables but I can't find a way to do so per ip (or if the attack is
massive, per general connection). Do you know the command or where to get
that extension you mention?

Joaquin Grech

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Matt Kettler
Sent: Monday, March 07, 2005 1:25 PM
To: Joaquin Grech; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] tcp flood

At 12:19 AM 3/7/2005, Joaquin Grech wrote:
>If this can't be done with snort, is there any software to do that? I 
>tried several firewalls but none had throttle handing like that per ip.

With plain IDS-mode snort you're not going to be able to block anything. 
Sort can be made to block stuff using inline mode, or using one of several 
add-ons. However, I've  I've never run snort in inline mode, so I can't 
comment on this. You'd probably want to use the classic portscan 
preprocessor to do this, or use thresholding in a rule.

As for firewalls here's what I know of that can help with connection

IPTables with the "limit" extension can do this easily and with a great 
deal of flexibility. You can even specify a burst connection limit before 
the rate limiter engages, and an overall rate in connections per second, 
minute, hour, or day.

Juniper Netscreen products can do this, but not quite the way you want. 
It's the source threshold in zone screen, which specifies a per-source 
connection-rate limit. Admittedly the limit is in pps, so you can't do 3 
per 5 seconds, but you can do something like 3/s quite easily this way and 
keep your problems at least somewhat regulated.

Cisco pix firewalls can't set a per-source limit, but can set a limit on 
the total embryonic connections, and total connections per server using the 
static command. This doesn't help kill an attacker, but does help put an 
upper bound on the load problems. However, this has the drawback of also 
limiting legitimate connections while you're being flooded. Not very useful.

SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list