Re: tcp flood

[SN ORT <snort_on_acid () yahoo com>]

This is really a simple layer 3 issue that should be
dealt with at your perimeter, and not on IDS or even
firewall if it can be avoided.

You can rate-limit on just about any Cisco device
(including PiX) to limit DoS attacks, including TCP
SYN attacks, by using access-lists with rate-limit
commands. Look to your Internet routers to stop the
attacks.

Cheese!

Marc

> Message: 1
> Date: Mon, 07 Mar 2005 13:24:41 -0500
> To: "Joaquin Grech" <joaco () bocazas com>,
> <snort-users () lists sourceforge net>
> From: Matt Kettler <mkettler () evi-inc com>
> Subject: Re: [Snort-users] tcp flood
>
> At 12:19 AM 3/7/2005, Joaquin Grech wrote:
> > If this can't be done with snort, is there any
> software to do that? I 
> > tried several firewalls but none had throttle
> handing like that per ip.
>
> With plain IDS-mode snort you're not going to be
> able to block anything. 
> Sort can be made to block stuff using inline mode,
> or using one of several 
> add-ons. However, I've  I've never run snort in
> inline mode, so I can't 
> comment on this. You'd probably want to use the
> classic portscan 
> preprocessor to do this, or use thresholding in a
> rule.
>
>
> As for firewalls here's what I know of that can help
> with connection flooding:
>
> IPTables with the "limit" extension can do this
> easily and with a great 
> deal of flexibility. You can even specify a burst
> connection limit before 
> the rate limiter engages, and an overall rate in
> connections per second, 
> minute, hour, or day.
>
> Juniper Netscreen products can do this, but not
> quite the way you want. 
> It's the source threshold in zone screen, which
> specifies a per-source 
> connection-rate limit. Admittedly the limit is in
> pps, so you can't do 3 
> per 5 seconds, but you can do something like 3/s
> quite easily this way and 
> keep your problems at least somewhat regulated.
>
> Cisco pix firewalls can't set a per-source limit,
> but can set a limit on 
> the total embryonic connections, and total
> connections per server using the 
> static command. This doesn't help kill an attacker,
> but does help put an 
> upper bound on the load problems. However, this has
> the drawback of also 
> limiting legitimate connections while you're being
> flooded. Not very useful.
>
>
>
> --__--__--
>
> Message: 2
> Date: Fri, 4 Mar 2005 11:49:59 -0700
> From: "Michael Graybill"
> <mgraybill () firstchoiceusa com>
> To: <snort-users () lists sourceforge net>
> Subject: [Snort-users] Help with Base ????
>
> This is a multi-part message in MIME format.
>
> ------_=_NextPart_001_01C520EA.F7FE7337
> Content-Type: text/plain;
>       charset="us-ascii"
> Content-Transfer-Encoding: quoted-printable
>
> Ok I installed snort and Base. I do have stuff in
> the logs
> (/var/log/snort/alert) but when I log into Base, It
> isn't pulling
> anything from the logs. Can someone help me fix
> this?
>
> =20
>
> TIA,
>
> =20
>
> Michael
>
>
> ------_=_NextPart_001_01C520EA.F7FE7337
> Content-Type: text/html;
>       charset="us-ascii"
> Content-Transfer-Encoding: quoted-printable
>
> <html
> xmlns:o=3D"urn:schemas-microsoft-com:office:office"
> =
> xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
> xmlns=3D"http://www.w3.org/TR/REC-html40";>
>
> <head>
> <META HTTP-EQUIV=3D"Content-Type"
> CONTENT=3D"text/html; =
> charset=3Dus-ascii">
> <meta name=3DGenerator content=3D"Microsoft Word 11
> (filtered medium)">
> <style>
> <!--
>  /* Style Definitions */
>  p.MsoNormal, li.MsoNormal, div.MsoNormal
>       {margin:0in;
>       margin-bottom:.0001pt;
>       font-size:12.0pt;
>       font-family:"Times New Roman";}
> a:link, span.MsoHyperlink
>       {color:blue;
>       text-decoration:underline;}
> a:visited, span.MsoHyperlinkFollowed
>       {color:purple;
>       text-decoration:underline;}
> span.EmailStyle17
>       {mso-style-type:personal-compose;
>       font-family:Arial;
>       color:windowtext;}
> @page Section1
>       {size:8.5in 11.0in;
>       margin:1.0in 1.25in 1.0in 1.25in;}
> div.Section1
>       {page:Section1;}
> -->
> </style>
>
> </head>
>
> <body lang=3DEN-US link=3Dblue vlink=3Dpurple>
>
> <div class=3DSection1>
>
> <p class=3DMsoNormal><font size=3D2
> face=3DArial><span =
> style=3D'font-size:10.0pt;
> font-family:Arial'>Ok I installed snort and Base. I
> do have stuff in the =
> logs
> (/var/log/snort/alert) but when I log into Base, It
> isn’t pulling
> anything from the logs. Can someone help me fix =
> this?<o:p></o:p></span></font></p>
>
> <p class=3DMsoNormal><font size=3D2
> face=3DArial><span =
> style=3D'font-size:10.0pt;
font-family:Arial'><o:p>&nbsp;</o:p></span></font></p>
> <p class=3DMsoNormal><font size=3D2
> face=3DArial><span =
> style=3D'font-size:10.0pt;
> font-family:Arial'>TIA,<o:p></o:p></span></font></p>
>
> <p class=3DMsoNormal><font size=3D2
> face=3DArial><span =
> style=3D'font-size:10.0pt;
font-family:Arial'><o:p>&nbsp;</o:p></span></font></p>
>
=== message truncated ===


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users