IDS mailing list archives
Re: IDS: Snort detecting distributed syn floods
From: nick black <dank () reflexsecurity com>
Date: Tue, 18 Jan 2005 18:37:34 +0000 (UTC)
On 2005-01-13, THolman () toplayer com <THolman () toplayer com> wrote:
Detecting a SYN Flood is all very well, but what are you going to do once you find out you're under attack ?
Agreed. To elaborate for the original poster, discrete resource-based attacks such as SYN floods are one of the prime examples of where IPS can excel, especially compared to IDS. I hope the following description of our product's upcoming release's capabilities is illustrative rather than overly product-centric; there's no panacea, but an intelligent blend of heuristics, deterministic techniques and stochastic queueing can, I assure you, alleviate the pain of all but the most overwhelming floods. First, the positioning of an IPS product such as ours allows SNT, or "sequence number translation" akin to NAT. I believe this was first pioneered by Toplayer's AppSafe, but is also present in OpenBSD and NetScreen products (this is no authoritative list, just trying to give credit where credit's due). Essentially, a network device can devote many more resources to half-open connections, and analysis of them, so move said connections there: - IPS intercepts the initial SYN, sends a SYN-ACK (with the benefit of both more allocatable resources, greater knowledge of the threat domain and presumably more history) - If the SYN's are being spoofed or otherwise unanswered (simple DDoS zombie clients, lack of egress policing leaving zombie uplinks supersaturated, etc), the half-open is eventually timed out or pressured out by LRU, etc. As the number of these closings increases, the IPS can make the decision to identify and filter worthless half-opens more rigorously - Should the three-way handshake complete, the IPS SNAT's a connection to the original dest, claiming to be the source. The server will respond; should it not, the IPS can attempt to determine why, perhaps lowering RED/etc thresholds if the server appears already overwhelmed. If the server does indeed respond with a SYN-ACK, the IPS need merely apply a constant delta to SN's in both directions. Furthermore, techniques such as non-parametric CUSUM (a stateless feedback algorithm, see Wang/Zhang/Shin) or spectral analysis (Cheng/Kung/Tan) can be applied by a special-purpose IPS. Such methodologies implemented on end hosts seems prohibitively expensive, not to mention suboptimal from an information-aggregation standpoint. As the number of SYNs goes up, my experience has been that the useful SYNs -- those which will complete the handshake and make proper use of the proffered service -- will appear more and more statistically anomalous when compared against the onslaught. If this thesis proves correct, scaling back analysis in proportion to the load should pay off. Very few SYN flooding tools generate retransmits with a friendly exponential backoff, for instance. By dropping the majority of SYNs early, perhaps even erroneously, we keep our cycles free to determine what properties lie outside the norm. -- nick black "np: the class of dashed hopes and idle dreams." -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- IDS: Snort detecting distributed syn floods THolman (Jan 17)
- Re: IDS: Snort detecting distributed syn floods Tim (Jan 17)
- Re: IDS: Snort detecting distributed syn floods nick black (Jan 19)
- Re: IDS: Snort detecting distributed syn floods James Eaton-Lee (Jan 23)
- Re: IDS: Snort detecting distributed syn floods Mike Frantzen (Jan 24)
- Re: IDS: Snort detecting distributed syn floods James Eaton-Lee (Jan 24)
- Re: IDS: Snort detecting distributed syn floods James Eaton-Lee (Jan 24)
- Re: IDS: Snort detecting distributed syn floods nick black (Jan 19)
- Re: IDS: Snort detecting distributed syn floods Tim (Jan 17)
- <Possible follow-ups>
- RE: IDS: Snort detecting distributed syn floods THolman (Jan 20)