[Oisf-users] tracking source and destination port

Cooper F. Nelson cnelson at ucsd.edu
Thu Jul 4 18:16:12 UTC 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 7/4/2013 10:54 AM, Michael wrote:
>>
>> The DDOS attacks you describe look like normal traffic flows; so its
>> hard to detect it automatically.
> 
> Do you think? I think it's very unusual that many different hosts uses the same source and destination port :)
> 

Well, to a human that looks unusual.  To a router, IDS or server they
are just normal SYN packets.

>alert tcp $EXTERNAL_NET $HOME_NET -> any any (msg:"LOCAL Potential DDOS, high volume SYN traffic"; flags: S,12; threshold: type both, track by_dst, count 1000, seconds 10;

Thinking about this some more, if the DDOS was higher than any observed
prior peak traffic (as measured by new flows per second) to a single
host, the above rule should work.  In fact, it will even work if the
attacker uses random src/dst ports.  Its just up to you to define what
constitutes a DDOS attack.

You might want to also consider looking at doing this via netflow.  For
example, you could write a script to simply monitor port src/dst
distribution and send an alert if any unique tuple it ever exceeds a
certain threshold.

- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJR1bvsAAoJEKIFRYQsa8FW0GYH/RQDKKBAC25uCkvhpHts+N6+
B11UbHli9aV/90LVEID85rocjhxgtfr26giow5tzx68q0AFYyjrwV85YG1YeDEaA
EWaaoSQm+mQ3dgyV9/pb9Fzn3Bw3Mjy3REO1EOeF0Tc3ELAc9ksxUKmgv/o/41Yb
t2ddlYInViQDUjfuDjJI941WIrfG8/R3NQrvk2F1ZYjjwh/oMkwXWm/WeLSIo5ph
M1gni4Em3X3Lwg5PEi9earw9mrRkUWm6xO8KLNgf7i00hiipxmkEVaZdCpBOatUu
5k5CxuM1YyijQRIx89qtKpzGjdLSxPma07SURayfz1kmtd+K1abMp/8efr/OcZI=
=y6ym
-----END PGP SIGNATURE-----



More information about the Oisf-users mailing list