Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Evolving the TCP window size option

From: Anestis Bechtsoudis <bechtsoudis.a () gmail com>
Date: Sat, 07 Jan 2012 23:54:16 +0200
Hello list,

recently 'HTTP Slow Read DoS' has been discovered from S. Shekyan [1].
This new attack method has been implemented in slowhttptest tool [2].

Despite the proposed host-based mitigation solutions [3], I was
searching for ways to detect the attack at the network layer. Playing
around with the attack, I discovered that small TCP window sizes can
expose it.

Reading the snort manual, I discovered that the window option offered
for rule writing, can be used only with specific values and not numeric
ranges (like the dsize option).

Evolving the window option to support min<>max and [<|>] would be a
great enhancement.


[1] https://community.qualys.com/blogs/securitylabs/2012/01/05/slow-read
[2] http://code.google.com/p/slowhttptest/
[3]
http://blog.spiderlabs.com/2012/01/modsecurity-advanced-topic-of-the-week-mitigation-of-slow-read-denial-of-service-attack.html


Kind Regards,
Anestis
-- 
===============================================
* Anestis Bechtsoudis                         *
*                                             *
* Network Operation Center (NOC Group)        *
* Laboratory for Computing (Computer Center)  *
* Dept. of Computer Engineering & Informatics *
* University of Patras, Greece                *
*                                             *
* Website: https://bechtsoudis.com            *
===============================================

------------------------------------------------------------------------------
Write once. Port to many.
Get the SDK and tools to simplify cross-platform app development. Create 
new or port existing apps to sell to consumers worldwide. Explore the 
Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join
http://p.sf.net/sfu/intel-appdev
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: