Snort mailing list archives
Evolving the TCP window size option
From: Anestis Bechtsoudis <bechtsoudis.a () gmail com>
Date: Sat, 07 Jan 2012 23:54:16 +0200
Hello list, recently 'HTTP Slow Read DoS' has been discovered from S. Shekyan [1]. This new attack method has been implemented in slowhttptest tool [2]. Despite the proposed host-based mitigation solutions [3], I was searching for ways to detect the attack at the network layer. Playing around with the attack, I discovered that small TCP window sizes can expose it. Reading the snort manual, I discovered that the window option offered for rule writing, can be used only with specific values and not numeric ranges (like the dsize option). Evolving the window option to support min<>max and [<|>] would be a great enhancement. [1] https://community.qualys.com/blogs/securitylabs/2012/01/05/slow-read [2] http://code.google.com/p/slowhttptest/ [3] http://blog.spiderlabs.com/2012/01/modsecurity-advanced-topic-of-the-week-mitigation-of-slow-read-denial-of-service-attack.html Kind Regards, Anestis -- =============================================== * Anestis Bechtsoudis * * * * Network Operation Center (NOC Group) * * Laboratory for Computing (Computer Center) * * Dept. of Computer Engineering & Informatics * * University of Patras, Greece * * * * Website: https://bechtsoudis.com * =============================================== ------------------------------------------------------------------------------ Write once. Port to many. Get the SDK and tools to simplify cross-platform app development. Create new or port existing apps to sell to consumers worldwide. Explore the Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join http://p.sf.net/sfu/intel-appdev _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Evolving the TCP window size option Anestis Bechtsoudis (Jan 10)
- Re: Evolving the TCP window size option Russ Combs (Jan 10)