Snort mailing list archives

Previous By Date Next
Previous By Thread Next

(no subject)

From: James Affeld <jamesaffeld () yahoo com>
Date: Tue, 8 Mar 2005 10:51:09 -0800 (PST)
Greetings, and sorry for your troubles.  It seems to
me that a Squid proxy server in front of your DDoS
victims is the right tool for this.  

David McCall reported a massive DDoS (something under
70,000 unique ips in his last message) to the
intrusions list in February 2005. 
http://www.dshield.org/pipermail/intrusions/

They managed to beat it with a squid proxy server on
openbsd.  If the bots are connecting and all getting
the same file each time, squid can block connections
that make that request.  I don't know much about
squid, but it may have rate limiting features as well.
 

Inline Snort could probably trigger on a high rate of
established connections, but that's more complex than
anything I've done with it.  My sense is that Squid is
the right tool for filtering the behavior of an
application like web browsing.  Once you have it in
place then you can apply it to a lot of different
malicious behavior.

OpenBSD's pf firewall apparently handles the
rate-limit/ip problem with the max-src-state setting. 
I use pf, but again, no personal experience with the
feature.  Here's a link:
http://www.benzedrine.cx/pf/msg06128.html

Good luck.  



Message: 1
From: "Joaquin Grech" <joaco () bocazas com>
To: <snort-users () lists sourceforge net>
Date: Mon, 7 Mar 2005 00:19:09 -0500
Subject: [Snort-users] tcp flood

This is a multi-part message in MIME format.

------=_NextPart_000_002C_01C522AB.4844AF20
Content-Type: text/plain;
      charset="us-ascii"
Content-Transfer-Encoding: 7bit

Hi

 

I am new to snort and I am not even sure if this is
the best tool to solve
the situation.

 

Currently I have 3 main attacks going on on several
servers on the network.
For the sake of simplicity let me explain the most
problematic one.

We are getting a tcp flood of 30 to 40 connections
per second. The tcp
connections look fine, they just connect/disconnect
very fast flooding all
the server.

 

The ip ranges changes, we are getting up to 400
different ips. They don't
seem to be make spoof though.

 

My question is, is snort useful to stop this? I was
trying to figure out a
rule to set a throttle limit like if an IP tries to
connect more than 3
times in 5 seconds, block the ip.

But I wasn't very successful at implementing the
rule.

 

 

If this can't be done with snort, is there any
software to do that? I tried
several firewalls but none had throttle handing like
that per ip.

 

Regards

Joaquin





        
                
__________________________________ 
Celebrate Yahoo!'s 10th Birthday! 
Yahoo! Netrospective: 100 Moments of the Web 
http://birthday.yahoo.com/netrospective/


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: