Snort mailing list archives
RE: tcp flood
From: SN ORT <snort_on_acid () yahoo com>
Date: Tue, 8 Mar 2005 06:50:35 -0800 (PST)
Well if you want to do it that way (again, I would block at the perimeter) then you can use these commands: iptables -A INPUT -p tcp --syn -m limit --limit 1/s -j ACCEPT iptables -A INPUT -p tcp --syn -j LOG --log-prefix "SYN FLOOD " iptables -A INPUT -p tcp --syn -j DROP Cheese! Marc --- Joaquin Grech <joaco () bocazas com> wrote:
I am looking at the iptables but I can't find a way to block based on throttle per ip, only for the whole type of connection. -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Matt Kettler Sent: Monday, March 07, 2005 5:13 PM To: SN ORT; snort-users () lists sourceforge net Subject: Re: [Snort-users] tcp flood At 03:25 PM 3/7/2005, SN ORT wrote:You can rate-limit on just about any Cisco device (including PiX) to limit DoS attacks, including TCP SYN attacks, by using access-lists with rate-limit commands. Look to your Internet routers to stop the attacks.Marc, The Cisco PiX OS as of the most recent released version 6.3(4) does not support rate-limit in an access-list.
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref
/ab.htm#wp1067755 The rate-limit feature requires QoS support, something the PiX currently lacks entirely, but the as-yet-unreleased PiX OS 7.0 is reported (by Cisco's website) to support QoS. The "new features" datasheet for PiX 7.0 is listed here:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_data_sheet090
0aecd80225ae1.html Any QoS enabled IOS image should be able to do rate limiting, but I'm not sure which IOS feature sets have QoS and which do not.
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
__________________________________ Celebrate Yahoo!'s 10th Birthday! Yahoo! Netrospective: 100 Moments of the Web http://birthday.yahoo.com/netrospective/ ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- tcp flood Joaquin Grech (Mar 06)
- Re: tcp flood Matt Kettler (Mar 07)
- RE: tcp flood Joaquin Grech (Mar 07)
- Message not available
- RE: tcp flood Matt Kettler (Mar 08)
- Re: tcp flood Matt Kettler (Mar 07)
- <Possible follow-ups>
- Re: tcp flood SN ORT (Mar 07)
- Re: tcp flood Matt Kettler (Mar 07)
- RE: tcp flood Joaquin Grech (Mar 08)
- Re: tcp flood Matt Kettler (Mar 07)
- RE: tcp flood SN ORT (Mar 08)
- Re: tcp flood Matt Kettler (Mar 08)