[Snort-users] tcp flood
snort_on_acid at ...131...
Tue Mar 8 06:50:59 EST 2005
Well if you want to do it that way (again, I would
block at the perimeter) then you can use these
iptables -A INPUT -p tcp --syn -m limit --limit 1/s -j
iptables -A INPUT -p tcp --syn -j LOG --log-prefix
"SYN FLOOD "
iptables -A INPUT -p tcp --syn -j DROP
--- Joaquin Grech <joaco at ...13133...> wrote:
> I am looking at the iptables but I can't find a way
> to block based on
> throttle per ip, only for the whole type of
> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net] On
> Behalf Of Matt Kettler
> Sent: Monday, March 07, 2005 5:13 PM
> To: SN ORT; snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] tcp flood
> At 03:25 PM 3/7/2005, SN ORT wrote:
> >You can rate-limit on just about any Cisco device
> >(including PiX) to limit DoS attacks, including TCP
> >SYN attacks, by using access-lists with rate-limit
> >commands. Look to your Internet routers to stop the
> The Cisco PiX OS as of the most recent released
> version 6.3(4) does not
> support rate-limit in an access-list.
> The rate-limit feature requires QoS support,
> something the PiX currently
> lacks entirely, but the as-yet-unreleased PiX OS 7.0
> is reported (by
> Cisco's website) to support QoS.
> The "new features" datasheet for PiX 7.0 is listed
> Any QoS enabled IOS image should be able to do rate
> limiting, but I'm not
> sure which IOS feature sets have QoS and which do
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT
> Products from real users.
> Discover which products truly live up to the hype.
> Start reading now.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or
> Snort-users list archive:
Celebrate Yahoo!'s 10th Birthday!
Yahoo! Netrospective: 100 Moments of the Web
More information about the Snort-users