[Snort-users] (no subject)

James Affeld jamesaffeld at ...131...
Tue Mar 8 10:51:41 EST 2005


Greetings, and sorry for your troubles.  It seems to
me that a Squid proxy server in front of your DDoS
victims is the right tool for this.  

David McCall reported a massive DDoS (something under
70,000 unique ips in his last message) to the
intrusions list in February 2005. 
http://www.dshield.org/pipermail/intrusions/

They managed to beat it with a squid proxy server on
openbsd.  If the bots are connecting and all getting
the same file each time, squid can block connections
that make that request.  I don't know much about
squid, but it may have rate limiting features as well.
 

Inline Snort could probably trigger on a high rate of
established connections, but that's more complex than
anything I've done with it.  My sense is that Squid is
the right tool for filtering the behavior of an
application like web browsing.  Once you have it in
place then you can apply it to a lot of different
malicious behavior.

OpenBSD's pf firewall apparently handles the
rate-limit/ip problem with the max-src-state setting. 
I use pf, but again, no personal experience with the
feature.  Here's a link:
http://www.benzedrine.cx/pf/msg06128.html

Good luck.  

> 
> Message: 1
> From: "Joaquin Grech" <joaco at ...13133...>
> To: <snort-users at lists.sourceforge.net>
> Date: Mon, 7 Mar 2005 00:19:09 -0500
> Subject: [Snort-users] tcp flood
> 
> This is a multi-part message in MIME format.
> 
> ------=_NextPart_000_002C_01C522AB.4844AF20
> Content-Type: text/plain;
> 	charset="us-ascii"
> Content-Transfer-Encoding: 7bit
> 
> Hi
> 
>  
> 
> I am new to snort and I am not even sure if this is
> the best tool to solve
> the situation.
> 
>  
> 
> Currently I have 3 main attacks going on on several
> servers on the network.
> For the sake of simplicity let me explain the most
> problematic one.
> 
> We are getting a tcp flood of 30 to 40 connections
> per second. The tcp
> connections look fine, they just connect/disconnect
> very fast flooding all
> the server.
> 
>  
> 
> The ip ranges changes, we are getting up to 400
> different ips. They don't
> seem to be make spoof though.
> 
>  
> 
> My question is, is snort useful to stop this? I was
> trying to figure out a
> rule to set a throttle limit like if an IP tries to
> connect more than 3
> times in 5 seconds, block the ip.
> 
> But I wasn't very successful at implementing the
> rule.
> 
>  
> 
>  
> 
> If this can't be done with snort, is there any
> software to do that? I tried
> several firewalls but none had throttle handing like
> that per ip.
> 
>  
> 
> Regards
> 
> Joaquin
> 



	
		
__________________________________ 
Celebrate Yahoo!'s 10th Birthday! 
Yahoo! Netrospective: 100 Moments of the Web 
http://birthday.yahoo.com/netrospective/




More information about the Snort-users mailing list