Snort detecting distributed syn floods

From: Brian T (briant4592_at_hotmail.com)
Date: 01/10/05

  • Next message: Kohlenberg, Toby: "RE: Specification-based Anomaly Detection"
    To: focus-ids@securityfocus.com
    Date: Mon, 10 Jan 2005 13:38:45 -0500
    
    

    Hello List,

    Over the past several months I have been experiencing intermittent DDoS
    attempts. The traffic is a distributed syn flood that usually goes after
    known backdoored ports and targets 40k+ IPs. We are using snort and have a
    tap in front of the firewall. I would like to set up a detection mechanism
    for this type of attack but since the target ports keep changing I'm not
    sure Snort has the capability of performing this type of detection (sounds
    like I may need something be anomaly based). I want to detect a distributed
    syn flood/scan without having the related IDS rule(s) tied to any specific
    ports. The motive is to be proactive instead of adding a rule after an
    attack has occurred. I'm relatively new to snort and was hoping to get some
    feedback from anyone who has used snort to detect this type of attack.

    Thanks,
    Brian T

    _________________________________________________________________
    Express yourself instantly with MSN Messenger! Download today - it's FREE!
    hthttp://messenger.msn.click-url.com/go/onm00200471ave/direct/01/

    --------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from
    CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    to learn more.
    --------------------------------------------------------------------------


  • Next message: Kohlenberg, Toby: "RE: Specification-based Anomaly Detection"