[Snort-users] tcp flood

SN ORT snort_on_acid at ...131...
Tue Mar 8 06:50:59 EST 2005


Well if you want to do it that way (again, I would
block at the perimeter) then you can use these
commands:

iptables -A INPUT -p tcp --syn -m limit --limit 1/s -j
ACCEPT
iptables -A INPUT -p tcp --syn -j LOG --log-prefix
"SYN FLOOD "
iptables -A INPUT -p tcp --syn -j DROP


Cheese!

Marc


--- Joaquin Grech <joaco at ...13133...> wrote:
> I am looking at the iptables but I can't find a way
> to block based on
> throttle per ip, only for the whole type of
> connection.
> 
> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net] On
> Behalf Of Matt Kettler
> Sent: Monday, March 07, 2005 5:13 PM
> To: SN ORT; snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] tcp flood
> 
> At 03:25 PM 3/7/2005, SN ORT wrote:
> >You can rate-limit on just about any Cisco device
> >(including PiX) to limit DoS attacks, including TCP
> >SYN attacks, by using access-lists with rate-limit
> >commands. Look to your Internet routers to stop the
> >attacks.
> 
> 
> Marc,
> 
> The Cisco PiX OS as of the most recent released
> version 6.3(4) does not 
> support rate-limit in an access-list.
> 
>
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref
> /ab.htm#wp1067755
> 
> 
> The rate-limit feature requires QoS support,
> something the PiX currently 
> lacks entirely, but the as-yet-unreleased PiX OS 7.0
> is reported (by 
> Cisco's website) to support QoS.
> 
> The "new features" datasheet for PiX 7.0 is listed
> here:
> 
>
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_data_sheet090
> 0aecd80225ae1.html
> 
> Any QoS enabled IOS image should be able to do rate
> limiting, but I'm not 
> sure which IOS feature sets have QoS and which do
> not.
> 
> 
> 
> 
>
-------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT
> Products from real users.
> Discover which products truly live up to the hype.
> Start reading now.
>
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or
> unsubscribe:
>
https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
>
http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 
> 


	
		
__________________________________ 
Celebrate Yahoo!'s 10th Birthday! 
Yahoo! Netrospective: 100 Moments of the Web 
http://birthday.yahoo.com/netrospective/




More information about the Snort-users mailing list