Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: IDS: Snort detecting distributed syn floods

from [THolman] Network Security [Permanent Link]
Subject: RE: IDS: Snort detecting distributed syn floods
Date: Mon, 17 Jan 2005 14:38:57 -0500 
Um... Woah... lost you there.  How does this help?  How can you
differentiate between spoofed and real SYNs coming into one of your
services, if those SYNs are choking your bandwidth (and not your
memory)?


True - if SYNs are choking bandwidth, then you cannot differentiate between
spoofed and real SYNs, as there is no bandwidth left to send back SYN
Cookies or perform SYN Proxying in order to verify that those source
addresses are real.

The solution is to get more bandwidth so you have the spare network capacity
to verify source addresses.  This extra bandwidth can either be your own
(preferably in burstable form), or belong to a shared anti-DDOS service
further upstream.

You might say 'Why bother buying more bandwidth in order to defend against
SYN floods?', or 'Why can't the ISP deal with this anyway, it's not my
problem?', but at the end of the day, if a SYN Flood is causing a business
problem (ie loss of earnings due to web site outage), then the only way to
effectively deal with this is to invest in more bandwidth (usually in the
form of a guaranteed burstable Internet feed), bring the whole of the attack
in-house, and attempt to mitigate it, or of course, pay somebody else to do
it (ie a service provider offering anti-DDOS services).

Regards,

Tim

-----Original Message-----
From: Tim [mailto:tim-security@sentinelchicken.org] 
Sent: 17 January 2005 15:40
To: THolman@toplayer.com
Cc: focus-ids@securityfocus.com
Subject: Re: IDS: Snort detecting distributed syn floods


Detecting a SYN Flood is all very well, but what are you going to do once
you find out you're under attack ?
If all the sources are spoofed (as they usually are), then setting up an
upstream firewall rule to block these sources won't help, neither will
configuring your IDS to send RST packets (this would just double up

consumed

bandwidth).
You would be best off setting a netflow or ACL threshold on your upstream
router that alerts you when it starts receiving a lot of packets.
If you're finding DDOS attacks are consuming more than 10-20Mb bandwidth,
you will usually find smaller devices - routers, firewalls will start
falling over (even those with DDOS protection built in).


Yes, it is difficult to defend against.



This is where an IPS comes in.


Um... Woah... lost you there.  How does this help?  How can you
differentiate between spoofed and real SYNs coming into one of your
services, if those SYNs are choking your bandwidth (and not your
memory)?

tim

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: snort signature analysis tools, Jose Nazario
Next by Date:  [Snort-users] RE: ssl proxy doco for nids/nips (quick howto), auto27923
Previous by Thread:  Re: IDS: Snort detecting distributed syn floods, James Eaton-Lee
Next by Thread:  ssl proxy doco for nids/nips (quick howto), auto27923
Indexes:  [Date] [Thread] [Top] [All Lists]