IDS mailing list archives
Snort detecting distributed syn floods
From: "Brian T" <briant4592 () hotmail com>
Date: Mon, 10 Jan 2005 13:38:45 -0500
Hello List,Over the past several months I have been experiencing intermittent DDoS attempts. The traffic is a distributed syn flood that usually goes after known backdoored ports and targets 40k+ IPs. We are using snort and have a tap in front of the firewall. I would like to set up a detection mechanism for this type of attack but since the target ports keep changing I'm not sure Snort has the capability of performing this type of detection (sounds like I may need something be anomaly based). I want to detect a distributed syn flood/scan without having the related IDS rule(s) tied to any specific ports. The motive is to be proactive instead of adding a rule after an attack has occurred. I'm relatively new to snort and was hoping to get some feedback from anyone who has used snort to detect this type of attack.
Thanks, Brian T _________________________________________________________________Express yourself instantly with MSN Messenger! Download today - it's FREE! hthttp://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
-------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------
Current thread:
- Snort detecting distributed syn floods Brian T (Jan 12)