Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: IDS: Snort detecting distributed syn floods

from [Tim] Network Security [Permanent Link]
Subject: Re: IDS: Snort detecting distributed syn floods
Date: Mon, 17 Jan 2005 10:39:34 -0500 
Detecting a SYN Flood is all very well, but what are you going to do once
you find out you're under attack ?
If all the sources are spoofed (as they usually are), then setting up an
upstream firewall rule to block these sources won't help, neither will
configuring your IDS to send RST packets (this would just double up consumed
bandwidth).
You would be best off setting a netflow or ACL threshold on your upstream
router that alerts you when it starts receiving a lot of packets.
If you're finding DDOS attacks are consuming more than 10-20Mb bandwidth,
you will usually find smaller devices - routers, firewalls will start
falling over (even those with DDOS protection built in).


Yes, it is difficult to defend against.



This is where an IPS comes in.


Um... Woah... lost you there.  How does this help?  How can you
differentiate between spoofed and real SYNs coming into one of your
services, if those SYNs are choking your bandwidth (and not your
memory)?

tim

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: newbie quetsions, Jarvett Lin
Next by Date:  RE: snort signature analysis tools, Hazel, Scott A.
Previous by Thread:  IDS: Snort detecting distributed syn floods, THolman
Next by Thread:  Re: IDS: Snort detecting distributed syn floods, nick black
Indexes:  [Date] [Thread] [Top] [All Lists]