Snort mailing list archives
Re: Evolving the TCP window size option
From: Russ Combs <rcombs () sourcefire com>
Date: Tue, 10 Jan 2012 13:34:46 -0500
Thanks Anestis. I've opened a bug for this. We may add a preprocessor rule instead, or tweak 129:19. On Sat, Jan 7, 2012 at 4:54 PM, Anestis Bechtsoudis <bechtsoudis.a () gmail com
wrote:
Hello list, recently 'HTTP Slow Read DoS' has been discovered from S. Shekyan [1]. This new attack method has been implemented in slowhttptest tool [2]. Despite the proposed host-based mitigation solutions [3], I was searching for ways to detect the attack at the network layer. Playing around with the attack, I discovered that small TCP window sizes can expose it. Reading the snort manual, I discovered that the window option offered for rule writing, can be used only with specific values and not numeric ranges (like the dsize option). Evolving the window option to support min<>max and [<|>] would be a great enhancement. [1] https://community.qualys.com/blogs/securitylabs/2012/01/05/slow-read [2] http://code.google.com/p/slowhttptest/ [3] http://blog.spiderlabs.com/2012/01/modsecurity-advanced-topic-of-the-week-mitigation-of-slow-read-denial-of-service-attack.html Kind Regards, Anestis -- =============================================== * Anestis Bechtsoudis * * * * Network Operation Center (NOC Group) * * Laboratory for Computing (Computer Center) * * Dept. of Computer Engineering & Informatics * * University of Patras, Greece * * * * Website: https://bechtsoudis.com * =============================================== ------------------------------------------------------------------------------ Write once. Port to many. Get the SDK and tools to simplify cross-platform app development. Create new or port existing apps to sell to consumers worldwide. Explore the Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join http://p.sf.net/sfu/intel-appdev _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Write once. Port to many. Get the SDK and tools to simplify cross-platform app development. Create new or port existing apps to sell to consumers worldwide. Explore the Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join http://p.sf.net/sfu/intel-appdev
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Evolving the TCP window size option Anestis Bechtsoudis (Jan 10)
- Re: Evolving the TCP window size option Russ Combs (Jan 10)