Snort mailing list archives
Re: tcp flood
From: Matt Kettler <mkettler () evi-inc com>
Date: Mon, 07 Mar 2005 13:24:41 -0500
At 12:19 AM 3/7/2005, Joaquin Grech wrote:
If this can't be done with snort, is there any software to do that? I tried several firewalls but none had throttle handing like that per ip.
With plain IDS-mode snort you're not going to be able to block anything. Sort can be made to block stuff using inline mode, or using one of several add-ons. However, I've I've never run snort in inline mode, so I can't comment on this. You'd probably want to use the classic portscan preprocessor to do this, or use thresholding in a rule.
As for firewalls here's what I know of that can help with connection flooding:IPTables with the "limit" extension can do this easily and with a great deal of flexibility. You can even specify a burst connection limit before the rate limiter engages, and an overall rate in connections per second, minute, hour, or day.
Juniper Netscreen products can do this, but not quite the way you want. It's the source threshold in zone screen, which specifies a per-source connection-rate limit. Admittedly the limit is in pps, so you can't do 3 per 5 seconds, but you can do something like 3/s quite easily this way and keep your problems at least somewhat regulated.
Cisco pix firewalls can't set a per-source limit, but can set a limit on the total embryonic connections, and total connections per server using the static command. This doesn't help kill an attacker, but does help put an upper bound on the load problems. However, this has the drawback of also limiting legitimate connections while you're being flooded. Not very useful.
------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- tcp flood Joaquin Grech (Mar 06)
- Re: tcp flood Matt Kettler (Mar 07)
- RE: tcp flood Joaquin Grech (Mar 07)
- Message not available
- RE: tcp flood Matt Kettler (Mar 08)
- Re: tcp flood Matt Kettler (Mar 07)
- <Possible follow-ups>
- Re: tcp flood SN ORT (Mar 07)
- Re: tcp flood Matt Kettler (Mar 07)
- RE: tcp flood Joaquin Grech (Mar 08)
- Re: tcp flood Matt Kettler (Mar 07)
- RE: tcp flood SN ORT (Mar 08)
- Re: tcp flood Matt Kettler (Mar 08)