Snort mailing list archives
catching many-to-one attacks
From: twig les <twigles () yahoo com>
Date: Fri, 11 Jun 2004 10:54:53 -0700 (PDT)
I'm trying to figure out a good way to catch potential DoS/DDoS attacks or maybe even probes that originate from multiple sources and all target one destination. Think of massive waves of echo replies coming back to one host on the inside network, or maybe a SYN flood. I believe Snort can do this but only on a single source basis and only if the counter threshold is surpassed by that source. In other words I would see 500 single hosts sending 100 TCP SYNs to port 25 on a customer mail server, but nothing to tie them all together and say, "DDoS attack! Man your stations!". We are an ISP offering and thus 100% uptime is our most pressing security concern. ===== ----------------------------------------------------------- With a few exceptions, secrecy is deeply incompatible with democracy and with science. --Carl Sagan ----------------------------------------------------------- __________________________________ Do you Yahoo!? Friends. Fun. Try the all-new Yahoo! Messenger. http://messenger.yahoo.com/ ------------------------------------------------------- This SF.Net email is sponsored by the new InstallShield X.
From Windows to Linux, servers to mobile, InstallShield X is the
one installation-authoring solution that does it all. Learn more and evaluate today! http://www.installshield.com/Dev2Dev/0504 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- catching many-to-one attacks twig les (Jun 11)