[Snort-users] tcp flood
joaco at ...13133...
Mon Mar 7 17:17:28 EST 2005
I am checking your solutions. I am looking into a way to do the limit
through IPTables but I can't find a way to do so per ip (or if the attack is
massive, per general connection). Do you know the command or where to get
that extension you mention?
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Matt Kettler
Sent: Monday, March 07, 2005 1:25 PM
To: Joaquin Grech; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] tcp flood
At 12:19 AM 3/7/2005, Joaquin Grech wrote:
>If this can't be done with snort, is there any software to do that? I
>tried several firewalls but none had throttle handing like that per ip.
With plain IDS-mode snort you're not going to be able to block anything.
Sort can be made to block stuff using inline mode, or using one of several
add-ons. However, I've I've never run snort in inline mode, so I can't
comment on this. You'd probably want to use the classic portscan
preprocessor to do this, or use thresholding in a rule.
As for firewalls here's what I know of that can help with connection
IPTables with the "limit" extension can do this easily and with a great
deal of flexibility. You can even specify a burst connection limit before
the rate limiter engages, and an overall rate in connections per second,
minute, hour, or day.
Juniper Netscreen products can do this, but not quite the way you want.
It's the source threshold in zone screen, which specifies a per-source
connection-rate limit. Admittedly the limit is in pps, so you can't do 3
per 5 seconds, but you can do something like 3/s quite easily this way and
keep your problems at least somewhat regulated.
Cisco pix firewalls can't set a per-source limit, but can set a limit on
the total embryonic connections, and total connections per server using the
static command. This doesn't help kill an attacker, but does help put an
upper bound on the load problems. However, this has the drawback of also
limiting legitimate connections while you're being flooded. Not very useful.
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:
More information about the Snort-users