Re: SNORT or other IDS

From: mail.attbi.net (mattww3@attbi.com)
Date: 11/21/02 

From: "mail.attbi.net" <mattww3@attbi.com>
Date: Thu, 21 Nov 2002 01:26:36 GMT

Just in case anyone cares :- )

Turned out it was not an attack... umm well lets just say that I can't
prove it is.

What I was finding As I said in orig... I had various proxies in
TIME_WAIT state such as AOL.
So, I called them. Very helpful. 4 hour phone call with NOC
engineers. Turns out they had updated their proxies to persistant http 1.1
connections. Well they were watching the traffic to our sites and found a
repeatable occurance where some code on our page caused a reload with
NO_CACHE so the aol cache servers were hamering us with requests... we had
about 1200 per second.

So, adjusted the code in websites. And allowed a lot more caching. That
helped but didn't fix it.

We are using foundry loadbalancer... So, upgraded to latest release.
Syn-Def no longer crashes so thats now applied. Investigating further but
it may have been that foundry did an http 1.1 to 1.0 conversion and when AOL
switched to 1.1 persistant the foundry said... nope 1.0... new version of
code may support 1.1 now as well... Have to confirm with foundry engineers.

Also significant improvements on TCP aging. Was 2 min for stale
connections. Now 8 seconds.

In short connections are high but appear legitamte. 12k-20k concurrent.
High connections may be something marketing has done without telling anyone
:-) still researching... but all in all we are stable again.

In case your interested... 12 win2k servers handeling 25k concurrent
sessions (2 sites daily peak, max much higher ) heavey server side code.
I don't know about you but I think thats pretty good.

Just me ranting.

"mail.attbi.net" <mattww3@attbi.com> wrote in message
news:KfwB9.51911$nB.3843@sccrnsc03...
> I need HELP :-) Below is a post I put somewhere else but no
> response....
>
> And we have mosts win2k machines being effected which honestly are
handeling
> this really really well... not locking up or denying connections but
over
> time....
> -----------------------
> I'm in a real tough situation...
>
> Very large network. Connection monitoring to numerous webhosts
> shows likely syn flood attack.
>
> Found out the hard way :-) All normal protection methods for SYN
> attacks dont work. Normal Traffic is to large. Over 100mbps and
> cisco and foundry both crash for tcp intercept functions.
>
> IDS attached to network. Can see all in/out traffic. Snort has no
> ability to detect SynFloods.
>
> TCPDUMP, can stare at that all day... and have been. Can not
> associate any single offending host/network. Well found one that so
> far has over 100k of hits against deny IP acl but blocking had no
> effect on connections to hosts.
>
>
> scan all of our hosts... looking for highest connections in
> TIME_WAIT state... well.... AOL and other Proxy servers hide any
> indication of half open connecion attacks because the aol proxy ip's
> seem to stay in time_wait for a long time making them the most
> frequent and common connecting hosts
>
>
> Our normal traffic is so high that our router w/ 256mb of ram and
> doing default route only with bgp crashes if inspecting 1 class A
> worth of traffic such as 60.0.0.0 0.255.255.255.255
>
> I can target several Class B's without a problem but I just need some
> blocks to target that would be relevant.
>
> HELP :-)
>
> I have Linux IDS plugged in running snort with spade... tcpdump blah
> blah blah... I can see the full network of traffic... I just can't
> figure out how to find only half open connections... AND there is
> also the posibility that we are not being attacked and are having
> bizarre network hardware issues...
>
>
> Please Help I'm getting my $%^& kicked by this...
>
>
> "Karl Levinson [x y] mvp" <levinson_k@excite.com> wrote in message
> news:OXDfM9siCHA.1624@tkmsftngp10...
> >
> > "John C. Olinger" <jcolinger@deltyme.com> wrote in message
> > news:1037161506.972841@news-1.nethere.net...
> > > I'm looking to trade knowledge with someone who has experience with
> Snort
> > or
> > > another IDS.
> >
> > What do you need to know?
> >
> > There are mailing lists and support groups for Snort and other IDS,
> possibly
> > at www.snort.org and also at http://online.securityfocus.com/archive
> >
> >
>
>

Relevant Pages

  • Re: Dictatorship Rules HWC.Com
    ... > through a "denial of service" attack. ... > their machines. ... > repeatedly open connections and block them out. ... this means that A) you could have a trojan program that was ...
    (rec.toys.cars)
  • Re: New virus?
    ... P2P networks, listen on TCP port 81, and attempt downloading files ... witnessed outbound connections on TCP port 81, ... web servers via HTTP in order to register itself with the server's ... attack targeting two unrelated financial services organizations. ...
    (sci.med.transcription)
  • Re: Dictatorship Rules HWC.Com
    ... through a "denial of service" attack. ... When you get thousands of machines ... repeatedly open connections and block them out. ... this means that A) you could have a trojan program that was ...
    (rec.toys.cars)
  • Re: SNORT or other IDS
    ... > Turned out it was not an attack... ... > connections. ... > We are using foundry loadbalancer... ... >> I have Linux IDS plugged in running snort with spade... ...
    (microsoft.public.security)
  • Re: server udp port 60556 (Unix Box) attacked by 18.18.18.18
    ... Snooping or a denial of service attack? ... someone who used PortSentry to automatically block connections to ... be able to rate limit connections. ... outboard monitoring box could be practical. ...
    (comp.security.misc)