RE: SHUN

[Frank Knobbe <fknobbe () knobbeits com>]

On Tue, 2002-12-03 at 00:28, ams67 wrote:

> Perhaps I am the one who is missing something. I do not know snortsam (I
> will try it for sure). I thought that a white-list is the list of ip
> addresses that snortsam will not block and 'analyze' 

Tony,

again, Snort and SnortSam are two different programs. Snort still does
analysis. It's just that SnortSam doesn't block white-listed IP's. I
think that's what you mean though.

> However I am would
> like to understand how snortsam can manage a syn flood attack where the
> ip source is randomly generate for each packet sent. (e.g. synk4).
> Filling up the logs, and blocking hundreds o thousand of random ip
> address would not be consider a successful DoS?

There is no fancy AI involved. SnortSam uses a simple threshold
mechanism to detect 'attacks'. If SnortSam exceeds a defineable amount
of blocking requests in a definable amount of time, it will unblock the
last <definable> IP addresses, and then just wait until the current rate
of blocking requests receeds below the threshold level. It then waits an
additional definable time before it acts on blocking requests again.

So under normal conditions, you may see a maximum of, for example, 5
blocks (read, unique IP's) per 10 seconds. If you try to DoS SnortSam
with your syn-flood attack, you will probably exceed, 10 blocks ber 10
secs (let's use that as an example for the set threshold). SnortSam will
then unblock the last <x> blocks it 'mistakenly' blocked, waits until
you quit DoS'ing the system. It then waits a time to make sure you're
really gone, and then get's back to work.

Not a fool-proof method, but it seems to work pretty good. 

Regards,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part