[Oisf-users] tracking source and destination port
Michael
hoffrath at gmx.de
Thu Jul 4 18:23:12 UTC 2013
Hello Cooper,
thanks again :).
Am 04.07.2013 um 20:16 schrieb Cooper F. Nelson:
> On 7/4/2013 10:54 AM, Michael wrote:
> >>
> >> The DDOS attacks you describe look like normal traffic flows; so its
> >> hard to detect it automatically.
> >
> > Do you think? I think it's very unusual that many different hosts uses the same source and destination port :)
> >
>
> Well, to a human that looks unusual. To a router, IDS or server they
> are just normal SYN packets.
>
> >alert tcp $EXTERNAL_NET $HOME_NET -> any any (msg:"LOCAL Potential DDOS, high volume SYN traffic"; flags: S,12; threshold: type both, track by_dst, count 1000, seconds 10;
>
> Thinking about this some more, if the DDOS was higher than any observed
> prior peak traffic (as measured by new flows per second) to a single
> host, the above rule should work. In fact, it will even work if the
> attacker uses random src/dst ports. Its just up to you to define what
> constitutes a DDOS attack.
I will give it a try, thank you.
>
> You might want to also consider looking at doing this via netflow. For
> example, you could write a script to simply monitor port src/dst
> distribution and send an alert if any unique tuple it ever exceeds a
> certain threshold.
That was my second choice if suricata is not able doing this and the way we currently track down such attacks :)
>
> - --
> Cooper Nelson
> Network Security Analyst
> UCSD ACT Security Team
> cnelson at ucsd.edu x41042
More information about the Oisf-users
mailing list