Re: SNORT or other IDS
From: S. Pidgorny [MVP] (slavickp@yahoo.com)
Date: 11/17/02
- Next message: Dmitry Kulshitsky: "Re: Anti-virus program"
- Previous message: Mark: ".da file"
- In reply to: mail.attbi.net: "Re: SNORT or other IDS"
- Next in thread: mail.attbi.net: "Re: SNORT or other IDS"
- Reply: mail.attbi.net: "Re: SNORT or other IDS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "S. Pidgorny [MVP]" <slavickp@yahoo.com> Date: Sun, 17 Nov 2002 10:58:43 +1100
First of all, see the following KB article and configure servers
accordingly:
http://support.microsoft.com/default.aspx?scid=KB;en-us;q142641
Secondly, a device in your Internet connection gateway (e.g. the firewall)
should be able to add some sort of protection against SYN flood - which one
do you use?
Also, SYN flood on internal network can be caused by malfunctioning nework
gear or software package. A protocol analyser and a year of time could help.
Also, take a look at Radware offerings for both DoS protection and BGP -
they have some veru good products...
-- Svyatoslav Pidgorny, MS MVP, MCSE -= F1 is the key =- "mail.attbi.net" <mattww3@attbi.com> wrote in message news:KfwB9.51911$nB.3843@sccrnsc03... > I need HELP :-) Below is a post I put somewhere else but no > response.... > > And we have mosts win2k machines being effected which honestly are handeling > this really really well... not locking up or denying connections but over > time.... > ----------------------- > I'm in a real tough situation... > > Very large network. Connection monitoring to numerous webhosts > shows likely syn flood attack. > > Found out the hard way :-) All normal protection methods for SYN > attacks dont work. Normal Traffic is to large. Over 100mbps and > cisco and foundry both crash for tcp intercept functions. > > IDS attached to network. Can see all in/out traffic. Snort has no > ability to detect SynFloods. > > TCPDUMP, can stare at that all day... and have been. Can not > associate any single offending host/network. Well found one that so > far has over 100k of hits against deny IP acl but blocking had no > effect on connections to hosts. > > > scan all of our hosts... looking for highest connections in > TIME_WAIT state... well.... AOL and other Proxy servers hide any > indication of half open connecion attacks because the aol proxy ip's > seem to stay in time_wait for a long time making them the most > frequent and common connecting hosts > > > Our normal traffic is so high that our router w/ 256mb of ram and > doing default route only with bgp crashes if inspecting 1 class A > worth of traffic such as 60.0.0.0 0.255.255.255.255 > > I can target several Class B's without a problem but I just need some > blocks to target that would be relevant. > > HELP :-) > > I have Linux IDS plugged in running snort with spade... tcpdump blah > blah blah... I can see the full network of traffic... I just can't > figure out how to find only half open connections... AND there is > also the posibility that we are not being attacked and are having > bizarre network hardware issues... > > > Please Help I'm getting my $%^& kicked by this... > > > "Karl Levinson [x y] mvp" <levinson_k@excite.com> wrote in message > news:OXDfM9siCHA.1624@tkmsftngp10... > > > > "John C. Olinger" <jcolinger@deltyme.com> wrote in message > > news:1037161506.972841@news-1.nethere.net... > > > I'm looking to trade knowledge with someone who has experience with > Snort > > or > > > another IDS. > > > > What do you need to know? > > > > There are mailing lists and support groups for Snort and other IDS, > possibly > > at www.snort.org and also at http://online.securityfocus.com/archive > > > > > >
- Next message: Dmitry Kulshitsky: "Re: Anti-virus program"
- Previous message: Mark: ".da file"
- In reply to: mail.attbi.net: "Re: SNORT or other IDS"
- Next in thread: mail.attbi.net: "Re: SNORT or other IDS"
- Reply: mail.attbi.net: "Re: SNORT or other IDS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
