Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: udpflood attack !

From: Matt Kettler <mkettler () evi-inc com>
Date: Thu, 17 Apr 2003 11:10:01 -0400
At 09:20 PM 4/17/2003 +0800, Liuhy wrote:

Hello, everyone,

I am a newbie in using snort, I have a question to ask:
I used an application named "udpflood.exe" which send udp packet to the host that snort is running, and I don't change the snort.conf file. But snort cann't find this attack, don't give any alert in alert file. 

Why?
Well, first I'd be hard pressed to call a simple UDP flood an attack, it's more like an "over use of the network" which is a VERY ineffective and pathetic attempt to DoS a network which rarely works. Did this "attack" actually succeed in doing anything to the snort box?
Also realize that if a simple single-source flood comes in over the internet, it's going to be much slower, as it will be limited by their link to the internet. Even if your attacker has a lot of bandwidth (ie: a t3) to flood you with, the problem is easily alleviated by getting your ISP to block their packets. Since it's from a single source, this is trivial for them to do.
The fact that snort doesn't detect a trivial attack which is just as hard on the attacker as the person attacked doesn't really bother me. These attacks are so non-effective that they're pretty much nonexistant these days, other than someone flooding a dial-up user (they have so little network bandwidth on that 56k modem that flooding them is easy and it becomes practical to do).
As for how to detect it... what might be a flood of UDP traffic to you, might be routine for me, and a root server operator would be alarmed that the traffic level was too _LOW_. So just how many packets per second constitutes a flood?
spp_portscan2 can detect some kinds of floods, but it's really more likely to detect the ones that can actually do damage to a network from the internet. Things like fraggles, DDOS floods and synfloods don't consume an absurd amount of bandwidth at the sender's side and can cripple your network. Since there are either lots of ports or lots of sources involved in these attacks, they stick out quite nicely.
The Spade add-on may also detect some kinds of single-source single-port floods based on what port they target.. if it's a really unusual port and isn't typical of traffic in/out of your network, it can alert. 





Thanks and regards!


You're welcome.



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: