Re: IDS: Snort detecting distributed syn floods

[Tim <tim-security () sentinelchicken org>]

> Detecting a SYN Flood is all very well, but what are you going to do once
> you find out you're under attack ?
> If all the sources are spoofed (as they usually are), then setting up an
> upstream firewall rule to block these sources won't help, neither will
> configuring your IDS to send RST packets (this would just double up consumed
> bandwidth).
> You would be best off setting a netflow or ACL threshold on your upstream
> router that alerts you when it starts receiving a lot of packets.
> If you're finding DDOS attacks are consuming more than 10-20Mb bandwidth,
> you will usually find smaller devices - routers, firewalls will start
> falling over (even those with DDOS protection built in).

Yes, it is difficult to defend against.


> This is where an IPS comes in.

Um... Woah... lost you there.  How does this help?  How can you
differentiate between spoofed and real SYNs coming into one of your
services, if those SYNs are choking your bandwidth (and not your
memory)?

tim

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------