Snort mailing list archives

RE: DOS rules for Nimda

From: "Richard Ellerbrock" <richarde () eskom co za>
Date: Thu, 26 Sep 2002 16:50:11 +0200

Thanks for the pointer, but only really this is applicable:

    *  Rate-limit TCP synchronize/start (SYN) packets. This does not
protect a host, but it allows your network to run in a degraded manner
and still remain up. By rate-limiting SYNs, you are throwing away
packets that exceed a certain rate, so some TCP connections will get
through, but not all.

As stated in my other note, the problem that I have is the denial of
service associated with the scanning for new hosts to infect. They do
not mention in the doc how to actaully do the TCP rate limiting - this
is a cisco site, but I am not really a cisco expert.

"Tudor Panaitescu" <tpanaitescu () colorcon com> 2002/09/26 04:37:48





Even Better (assuming that you have Cisco):

http://www.cisco.com/warp/public/63/nimda.shtml 

Enjoy,
T
|-------+------------------------------------------------------|
|       |                                                      |
|-------+------------------------------------------------------|
|   To: |   "Richard Ellerbrock" <richarde () eskom co za>,       |
|       |   snort-users () lists sourceforge net                  |
|-------+------------------------------------------------------|
|   cc: |   (bcc: Tudor Panaitescu/ColorconUS)                 |
|-------+------------------------------------------------------|
|       |                                                      |
|-------+------------------------------------------------------|
|   Subj|   RE: [Snort-users] DOS rules for Nimda              |
|   ect:|                                                      |
|       |                                                      |
|-------+------------------------------------------------------|










[IMAGE]
First things first, forget intrusion detection. 


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

DOS rules for Nimda Richard Ellerbrock (Sep 26)
- Re: DOS rules for Nimda Chris Green (Sep 26)
- Re: DOS rules for Nimda Martin Roesch (Sep 26)
- <Possible follow-ups>
- RE: DOS rules for Nimda McCammon, Keith (Sep 26)
- RE: DOS rules for Nimda Tudor Panaitescu (Sep 26)
- RE: DOS rules for Nimda Richard Ellerbrock (Sep 26)
- Re: DOS rules for Nimda Richard Ellerbrock (Sep 26)
- RE: DOS rules for Nimda Madziarczyk, Jonathan (Sep 26)
- RE: DOS rules for Nimda Richard Ellerbrock (Sep 26)