catching many-to-one attacks

[twig les <twigles () yahoo com>]

I'm trying to figure out a good way to catch potential DoS/DDoS
attacks or maybe even probes that originate from multiple
sources and all target one destination.  Think of massive waves
of echo replies coming back to one host on the inside network,
or maybe a SYN flood.  I believe Snort can do this but only on a
single source basis and only if the counter threshold is
surpassed by that source.  In other words I would see 500 single
hosts sending 100 TCP SYNs to port 25 on a customer mail server,
but nothing to tie them all together and say, "DDoS attack!  Man
your stations!".  We are an ISP offering and thus 100% uptime is
our most pressing security concern.

=====
-----------------------------------------------------------
With a few exceptions, secrecy is deeply incompatible with
democracy and with science.
     --Carl Sagan  
-----------------------------------------------------------


        
                
__________________________________
Do you Yahoo!?
Friends.  Fun.  Try the all-new Yahoo! Messenger.
http://messenger.yahoo.com/ 


-------------------------------------------------------
This SF.Net email is sponsored by the new InstallShield X.
> From Windows to Linux, servers to mobile, InstallShield X is the
one installation-authoring solution that does it all. Learn more and
evaluate today! http://www.installshield.com/Dev2Dev/0504
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users