Snort mailing list archives
Re: not detecting common intrusion
From: Jeff Nathan <jeff () snort org>
Date: Thu, 27 Jun 2002 00:50:28 -0700
Cearns Angela wrote:
Thank you Erek: I'm indeed pouring thru the doc at the snort website. Erek, I'm a student at the University of Colorado doing research on DDOS and various mitigation methods. I'm currently building a testbed to simulate DDoS attack and trying to find out a better way to respond to the attack. One area of my research focus is rate limiting. Can I ask you and the mailing list participants for some personal advice? Would it be useful to add a X processor to snort to do a bandwidth consumption type of detection? Or is there a much easier way to detect "bandwidth usage beyond a certain threshold" that it's really not worth it to add it to snort? What about adding a rate limiting capability to snort thru X processor as an "action" to the detection of "bandwidth overuse"? Will this be a useful feature or is it just easier for people to configrue rate limiting through iptables? Erek, I don't mean to bombard you with questions but I've been pounding my head for weeks. Thank you so much for your help. With sincere gratitude, Ang
Ang, Are you interested in discovering whether or not your network is being used as part of a larger DDoS or in mitigating the effects of a DDoS/DoS on your network? Attempts to 'protect against' incoming DDoS and DoS at the border of a network are basically futile. Detection mechanisms such as flow data off a router or raw packet per second rates coupled with some telltale signs of DoS traffic might tell you you're under attack but there's really nothing you can do about it at the edge of your network. To paraphrase something Dug Song said, it's like trying to close your mouth when someone turns a fire hose on in front of your face. The research on distributed DDoS detection being done at Arbor networks seems very promising as they've been working on the problem for some time. Detecting outbound DDoS/DoS traffic from your network is a somewhat more manageable task and could possibly be accomplished with snort. -Jeff -- http://jeff.wwti.com (pgp key available) "Common sense is the collection of prejudices acquired by age eighteen." - Albert Einstein ------------------------------------------------------- Sponsored by: ThinkGeek at http://www.ThinkGeek.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort-mysql installation - not logging Cearns Angela (Jun 25)
- <Possible follow-ups>
- Re: snort-mysql installation - not logging Roman Danyliw (Jun 26)
- not detecting common intrusion Cearns Angela (Jun 26)
- Re: not detecting common intrusion Erek Adams (Jun 26)
- Re: not detecting common intrusion Cearns Angela (Jun 26)
- Re: not detecting common intrusion Erek Adams (Jun 26)
- Re: not detecting common intrusion Cearns Angela (Jun 26)
- Re: not detecting common intrusion Erek Adams (Jun 27)
- Re: not detecting common intrusion Jeff Nathan (Jun 27)
- not detecting common intrusion Cearns Angela (Jun 26)