Snort mailing list archives
tcp flood
From: "Joaquin Grech" <joaco () bocazas com>
Date: Mon, 7 Mar 2005 00:19:09 -0500
Hi I am new to snort and I am not even sure if this is the best tool to solve the situation. Currently I have 3 main attacks going on on several servers on the network. For the sake of simplicity let me explain the most problematic one. We are getting a tcp flood of 30 to 40 connections per second. The tcp connections look fine, they just connect/disconnect very fast flooding all the server. The ip ranges changes, we are getting up to 400 different ips. They don't seem to be make spoof though. My question is, is snort useful to stop this? I was trying to figure out a rule to set a throttle limit like if an IP tries to connect more than 3 times in 5 seconds, block the ip. But I wasn't very successful at implementing the rule. If this can't be done with snort, is there any software to do that? I tried several firewalls but none had throttle handing like that per ip. Regards Joaquin
Current thread:
- tcp flood Joaquin Grech (Mar 06)
- Re: tcp flood Matt Kettler (Mar 07)
- RE: tcp flood Joaquin Grech (Mar 07)
- Message not available
- RE: tcp flood Matt Kettler (Mar 08)
- Re: tcp flood Matt Kettler (Mar 07)
- <Possible follow-ups>
- Re: tcp flood SN ORT (Mar 07)
- Re: tcp flood Matt Kettler (Mar 07)
- RE: tcp flood Joaquin Grech (Mar 08)
- Re: tcp flood Matt Kettler (Mar 07)
- RE: tcp flood SN ORT (Mar 08)
- Re: tcp flood Matt Kettler (Mar 08)