[Oisf-users] tracking source and destination port

Michael hoffrath at gmx.de
Thu Jul 4 18:23:12 UTC 2013

Hello Cooper,

thanks again :).

Am 04.07.2013 um 20:16 schrieb Cooper F. Nelson:

> On 7/4/2013 10:54 AM, Michael wrote:
> >>
> >> The DDOS attacks you describe look like normal traffic flows; so its
> >> hard to detect it automatically.
> > 
> > Do you think? I think it's very unusual that many different hosts uses the same source and destination port :)
> > 
> Well, to a human that looks unusual.  To a router, IDS or server they
> are just normal SYN packets.
> >alert tcp $EXTERNAL_NET $HOME_NET -> any any (msg:"LOCAL Potential DDOS, high volume SYN traffic"; flags: S,12; threshold: type both, track by_dst, count 1000, seconds 10;
> Thinking about this some more, if the DDOS was higher than any observed
> prior peak traffic (as measured by new flows per second) to a single
> host, the above rule should work.  In fact, it will even work if the
> attacker uses random src/dst ports.  Its just up to you to define what
> constitutes a DDOS attack.

I will give it a try, thank you.

> You might want to also consider looking at doing this via netflow.  For
> example, you could write a script to simply monitor port src/dst
> distribution and send an alert if any unique tuple it ever exceeds a
> certain threshold.

That was my second choice if suricata is not able doing this and the way we currently track down such attacks :)

> - -- 
> Cooper Nelson
> Network Security Analyst
> UCSD ACT Security Team
> cnelson at ucsd.edu x41042

More information about the Oisf-users mailing list