Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: tcp flood

From: SN ORT <snort_on_acid () yahoo com>
Date: Tue, 8 Mar 2005 06:50:35 -0800 (PST)
Well if you want to do it that way (again, I would
block at the perimeter) then you can use these
commands:

iptables -A INPUT -p tcp --syn -m limit --limit 1/s -j
ACCEPT
iptables -A INPUT -p tcp --syn -j LOG --log-prefix
"SYN FLOOD "
iptables -A INPUT -p tcp --syn -j DROP


Cheese!

Marc


--- Joaquin Grech <joaco () bocazas com> wrote:

I am looking at the iptables but I can't find a way
to block based on
throttle per ip, only for the whole type of
connection.

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On
Behalf Of Matt Kettler
Sent: Monday, March 07, 2005 5:13 PM
To: SN ORT; snort-users () lists sourceforge net
Subject: Re: [Snort-users] tcp flood

At 03:25 PM 3/7/2005, SN ORT wrote:

You can rate-limit on just about any Cisco device
(including PiX) to limit DoS attacks, including TCP
SYN attacks, by using access-lists with rate-limit
commands. Look to your Internet routers to stop the
attacks.



Marc,

The Cisco PiX OS as of the most recent released
version 6.3(4) does not 
support rate-limit in an access-list.



http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref

/ab.htm#wp1067755


The rate-limit feature requires QoS support,
something the PiX currently 
lacks entirely, but the as-yet-unreleased PiX OS 7.0
is reported (by 
Cisco's website) to support QoS.

The "new features" datasheet for PiX 7.0 is listed
here:



http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_data_sheet090

0aecd80225ae1.html

Any QoS enabled IOS image should be able to do rate
limiting, but I'm not 
sure which IOS feature sets have QoS and which do
not.






-------------------------------------------------------

SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT
Products from real users.
Discover which products truly live up to the hype.
Start reading now.


http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or
unsubscribe:


https://lists.sourceforge.net/lists/listinfo/snort-users

Snort-users list archive:


http://www.geocrawler.com/redir-sf.php3?list=snort-users







        
                
__________________________________ 
Celebrate Yahoo!'s 10th Birthday! 
Yahoo! Netrospective: 100 Moments of the Web 
http://birthday.yahoo.com/netrospective/


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: