Snort mailing list archives
spoof detection?
From: "Sheahan, Paul (PCLN-NW)" <Paul.Sheahan () priceline com>
Date: Tue, 13 Nov 2001 17:41:29 -0500
I was just reading an article on "How to Spot Source Address Spoofing". Pretty interesting. I was wondering if anyone is using Snort to try and detect when someone spoofs their address in an attempt to denial of service their site. It would go something like this: * Say my web server IP address is 200.200.200.200 * An attacker somewhere on the Net spoofs their source address to that of my web server (200.200.200.200), then starts sending out packets all over the Net on a certain port, say port 21 for example. * All machines on the Net receiving these packets that don't have port 21 open, respond to my web server with a RST, thinking my web server is the source of the packets. * So now my web server is receiving tons of RSTs from different hosts on the Net, where enough of them could cause a denial of service. Is there a way to setup Snort to look for a high threshold of RSTs so I can tell when someone might be spoofing my address and trying to cause a denial of service on my site? Thanks! Paul Sheahan Manager of Information Security Priceline.com paul.sheahan () priceline com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- spoof detection? Sheahan, Paul (PCLN-NW) (Nov 13)
- Re: spoof detection? Chris Green (Nov 13)
- Re: spoof detection? Martin Forest (Nov 13)