Snort detecting distributed syn floods

From: Brian T (briant4592_at_hotmail.com)
Date: 01/10/05

  • Next message: Kohlenberg, Toby: "RE: Specification-based Anomaly Detection"
    To: focus-ids@securityfocus.com
    Date: Mon, 10 Jan 2005 13:38:45 -0500
    
    

    Hello List,

    Over the past several months I have been experiencing intermittent DDoS
    attempts. The traffic is a distributed syn flood that usually goes after
    known backdoored ports and targets 40k+ IPs. We are using snort and have a
    tap in front of the firewall. I would like to set up a detection mechanism
    for this type of attack but since the target ports keep changing I'm not
    sure Snort has the capability of performing this type of detection (sounds
    like I may need something be anomaly based). I want to detect a distributed
    syn flood/scan without having the related IDS rule(s) tied to any specific
    ports. The motive is to be proactive instead of adding a rule after an
    attack has occurred. I'm relatively new to snort and was hoping to get some
    feedback from anyone who has used snort to detect this type of attack.

    Thanks,
    Brian T

    _________________________________________________________________
    Express yourself instantly with MSN Messenger! Download today - it's FREE!
    hthttp://messenger.msn.click-url.com/go/onm00200471ave/direct/01/

    --------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from
    CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    to learn more.
    --------------------------------------------------------------------------


  • Next message: Kohlenberg, Toby: "RE: Specification-based Anomaly Detection"

    Relevant Pages

    • Re: pf vs. RST attack question
      ... as changes on your servers expose new attack vectors and as attackers discover ... which blocked any traffic to an IP to any ports other than 53. ... I found 8 or 9 gzip/newsyslog processes running ... any extra load from pflogd and newsyslog from logging denied traffic. ...
      (freebsd-questions)
    • Re: girl in destress!!
      ... proxies on non-standard ports, so any "sniffer" programs, such as ... Snort, will not be able to monitor you. ... I used to run open socks and HTTP proxies on non ... HTTP on 8930, corporate admins never got wise to what was ...
      (comp.security.firewalls)
    • RE: Detecting trojans on random ports with encrypted traffic...
      ... Isn't this similar to what SPADE does in snort? ... >>> Intrusion Detection does not have to rely on signatures ... >>> detect connections from and to ports that you normally ... >>> counting any connections that are normal like virus scanner ...
      (Focus-IDS)
    • Re: 8 port firewall recomendation
      ... Of course, all you need to do, to increase the number of ports, is to spend ... In fact, you could buy a SINGLE port firewall, and use an external hub: ... > death", IP spoofing, land attack, tear drop attack, IP address sweep ...
      (comp.security.firewalls)
    • RE: Which intrusion detection to use?
      ... > deny access to all unused ports to the world there will be no ... Snort does not care ... while I would get ipfw dropping packets in my logs, ... If you want a good book I'd recommend "Building Internet Firewalls" by ...
      (FreeBSD-Security)