Re: SNORT or other IDS

From: S. Pidgorny [MVP] (slavickp@yahoo.com)
Date: 11/17/02


From: "S. Pidgorny [MVP]" <slavickp@yahoo.com>
Date: Sun, 17 Nov 2002 10:58:43 +1100

First of all, see the following KB article and configure servers
accordingly:

http://support.microsoft.com/default.aspx?scid=KB;en-us;q142641

Secondly, a device in your Internet connection gateway (e.g. the firewall)
should be able to add some sort of protection against SYN flood - which one
do you use?

Also, SYN flood on internal network can be caused by malfunctioning nework
gear or software package. A protocol analyser and a year of time could help.

Also, take a look at Radware offerings for both DoS protection and BGP -
they have some veru good products...

--
Svyatoslav Pidgorny, MS MVP, MCSE
-= F1 is the key =-
"mail.attbi.net" <mattww3@attbi.com> wrote in message
news:KfwB9.51911$nB.3843@sccrnsc03...
> I need HELP   :-)    Below is a post I put somewhere else but no
> response....
>
> And we have mosts win2k machines being effected which honestly are
handeling
> this really really well...    not locking up or denying connections but
over
> time....
> -----------------------
> I'm in a real tough situation...
>
> Very large network.    Connection monitoring to numerous webhosts
> shows likely syn flood attack.
>
> Found out the hard way :-)   All normal protection methods for SYN
> attacks dont work.    Normal Traffic is to large.   Over 100mbps and
> cisco and foundry both crash for tcp intercept functions.
>
> IDS attached to network.   Can see all in/out traffic.   Snort has no
> ability to detect SynFloods.
>
> TCPDUMP, can stare at that all day... and have been.    Can not
> associate any single offending host/network.   Well found one that so
> far has over 100k of hits against deny IP acl but blocking had no
> effect on connections to hosts.
>
>
> scan all of our hosts...   looking for highest connections in
> TIME_WAIT state...   well....   AOL and other Proxy servers hide any
> indication of half open connecion attacks because the aol proxy ip's
> seem to stay in time_wait for a long time making them the most
> frequent and common connecting hosts
>
>
> Our normal traffic is so high that our router w/ 256mb of ram and
> doing default route only with bgp crashes if inspecting 1 class A
> worth of traffic such as 60.0.0.0 0.255.255.255.255
>
> I can target several Class B's without a problem but I just need some
> blocks to target that would be relevant.
>
> HELP :-)
>
> I have Linux IDS plugged in running snort with spade... tcpdump blah
> blah blah...   I can see the full network of traffic...   I just can't
> figure out how to find only half open connections...    AND there is
> also the posibility that we are not being attacked and are having
> bizarre network hardware issues...
>
>
> Please Help I'm getting my $%^& kicked by this...
>
>
> "Karl Levinson [x y] mvp" <levinson_k@excite.com> wrote in message
> news:OXDfM9siCHA.1624@tkmsftngp10...
> >
> > "John C. Olinger" <jcolinger@deltyme.com> wrote in message
> > news:1037161506.972841@news-1.nethere.net...
> > > I'm looking to trade knowledge with someone who has experience with
> Snort
> > or
> > > another IDS.
> >
> > What do you need to know?
> >
> > There are mailing lists and support groups for Snort and other IDS,
> possibly
> > at www.snort.org and also at http://online.securityfocus.com/archive
> >
> >
>
>


Relevant Pages

  • Re: How many differences, categories?
    ... >> relocate the pattern by a process similar to the one we used to ... Network logic is counterintuitive. ... In theory the limit to the number of connections per node ... As Kauffman varied this connectivity parameter in his generic networks, ...
    (sci.cognitive)
  • Re: win XP Pro SP2 with latest RDP. Workgroup vs. domain
    ... I do not need to setup RDP port forwarding in the Belkin router. ... the firewall did have in the exceptions screen "Remote Desktop" ... think that the "Allow remote connections RDP" and/or having the firewall RDP ... for network connections. ...
    (microsoft.public.windowsxp.work_remotely)
  • Re: [Fwd: Re: Mainframe not a good architecture for interactive was Re: What is the future of COBOL
    ... programmers do not understand the inner working of CICS and that CICS ... does not keep track of ALL terminals in a mainframe network. ... >> to a Web Server, this means that for an equal number of clients, a Web ... >>server is keeping track of 5 times the connections. ...
    (comp.lang.cobol)
  • Re: Problem for physicalist evolutionists
    ... does not a neural network make. ... potential to have an FPP, and the FPP will be some part of that ... along any of those network connections to "assemble" the picture. ...
    (talk.origins)
  • Re: Problem for physicalist evolutionists
    ... does not a neural network make. ... they do no need to communicate anything ... along any of those network connections to "assemble" the picture. ...
    (talk.origins)