Snort mailing list archives
(no subject)
From: James Affeld <jamesaffeld () yahoo com>
Date: Tue, 8 Mar 2005 10:51:09 -0800 (PST)
Greetings, and sorry for your troubles. It seems to me that a Squid proxy server in front of your DDoS victims is the right tool for this. David McCall reported a massive DDoS (something under 70,000 unique ips in his last message) to the intrusions list in February 2005. http://www.dshield.org/pipermail/intrusions/ They managed to beat it with a squid proxy server on openbsd. If the bots are connecting and all getting the same file each time, squid can block connections that make that request. I don't know much about squid, but it may have rate limiting features as well. Inline Snort could probably trigger on a high rate of established connections, but that's more complex than anything I've done with it. My sense is that Squid is the right tool for filtering the behavior of an application like web browsing. Once you have it in place then you can apply it to a lot of different malicious behavior. OpenBSD's pf firewall apparently handles the rate-limit/ip problem with the max-src-state setting. I use pf, but again, no personal experience with the feature. Here's a link: http://www.benzedrine.cx/pf/msg06128.html Good luck.
Message: 1 From: "Joaquin Grech" <joaco () bocazas com> To: <snort-users () lists sourceforge net> Date: Mon, 7 Mar 2005 00:19:09 -0500 Subject: [Snort-users] tcp flood This is a multi-part message in MIME format. ------=_NextPart_000_002C_01C522AB.4844AF20 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Hi I am new to snort and I am not even sure if this is the best tool to solve the situation. Currently I have 3 main attacks going on on several servers on the network. For the sake of simplicity let me explain the most problematic one. We are getting a tcp flood of 30 to 40 connections per second. The tcp connections look fine, they just connect/disconnect very fast flooding all the server. The ip ranges changes, we are getting up to 400 different ips. They don't seem to be make spoof though. My question is, is snort useful to stop this? I was trying to figure out a rule to set a throttle limit like if an IP tries to connect more than 3 times in 5 seconds, block the ip. But I wasn't very successful at implementing the rule. If this can't be done with snort, is there any software to do that? I tried several firewalls but none had throttle handing like that per ip. Regards Joaquin
__________________________________ Celebrate Yahoo!'s 10th Birthday! Yahoo! Netrospective: 100 Moments of the Web http://birthday.yahoo.com/netrospective/ ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- (no subject) Hema Krishnamurthy (Jan 12)
- <Possible follow-ups>
- (no subject) Hernan Nuñez (Jan 13)
- (no subject) James Affeld (Mar 08)