Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

IDS: Snort detecting distributed syn floods

from [THolman] Network Security [Permanent Link]
Subject: IDS: Snort detecting distributed syn floods
Date: Thu, 13 Jan 2005 10:34:18 -0500 
Hi Brian,

Detecting a SYN Flood is all very well, but what are you going to do once
you find out you're under attack ?
If all the sources are spoofed (as they usually are), then setting up an
upstream firewall rule to block these sources won't help, neither will
configuring your IDS to send RST packets (this would just double up consumed
bandwidth).
You would be best off setting a netflow or ACL threshold on your upstream
router that alerts you when it starts receiving a lot of packets.
If you're finding DDOS attacks are consuming more than 10-20Mb bandwidth,
you will usually find smaller devices - routers, firewalls will start
falling over (even those with DDOS protection built in).
This is where an IPS comes in.  Protection based technology (or upstream
ACLs and routing changes) is the only way to block DDOS attacks.

Regards,

Tim




Hello List, 


Over the past several months I have been experiencing intermittent DDoS 
attempts. The traffic is a distributed syn flood that usually goes after 
known backdoored ports and targets 40k+ IPs. We are using snort and have a 
tap in front of the firewall. I would like to set up a detection mechanism 
for this type of attack but since the target ports keep changing I'm not 
sure Snort has the capability of performing this type of detection (sounds 
like I may need something be anomaly based). I want to detect a distributed 
syn flood/scan without having the related IDS rule(s) tied to any specific 
ports. The motive is to be proactive instead of adding a rule after an 
attack has occurred. I'm relatively new to snort and was hoping to get some 
feedback from anyone who has used snort to detect this type of attack. 


Thanks, 
Brian T 


_________________________________________________________________ 
Express yourself instantly with MSN Messenger! Download today - it's FREE! 
hthttp://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ 



-------------------------------------------------------------------------- 
Test Your IDS 


Is your IDS deployed correctly? 
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT. 
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more. 
--------------------------------------------------------------------------

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  DIMVA 2005 - Second Call for Papers, Marc Heuse
Next by Date:  Re: newbie quetsions, Rainer Duffner
Previous by Thread:  DIMVA 2005 - Second Call for Papers, Marc Heuse
Next by Thread:  Re: IDS: Snort detecting distributed syn floods, Tim
Indexes:  [Date] [Thread] [Top] [All Lists]