[Oisf-users] Suricata and DDoS Attack
Leonard Jacobs
ljacobs at netsecuris.com
Wed Jan 27 13:27:20 UTC 2016
The following is what was reported to us before the appliance was rebooted.
After the ISP reported that the DDoS attack on them was over, the connection at this particular location did not stabilize until Suricata was restarted with a reboot of appliance. But before the reboot the following was reported.
- Rebooting the firewall did nothing to help
- ISP rebooting their OST but didn’t help
- Sometimes pages would load, but most of the time, not 100% of any website would load
- They could traceroute to these sites and couldn’t find a common link (bad router upstream, etc.)
- Ping worked the whole time post-DDoS attack up until the appliance was rebooted
I explained to them why the last bullet was the case. When Suricata is in af-packet mode, the bridges will go down on reboot until Suricata is back up and running.
We can't figure out if this is just coincidental to the DDoS activity.
The ISP provided the public IP addresses of what they think is the source of the DDoS attack. We checked them against the event database. None of those addresses never hit this Suricata appliance.
Thanks.
Leonard
From: Peter Manev <petermanev at gmail.com>
To: Victor Julien <lists at inliniac.net>
Cc: "oisf-users at lists.openinfosecfoundation.org" <oisf-users at lists.openinfosecfoundation.org>
Sent: 1/27/2016 4:16 AM
Subject: Re: [Oisf-users] Suricata and DDoS Attack
On Wed, Jan 27, 2016 at 9:59 AM, Victor Julien <lists at inliniac.net> wrote:
> On 27-01-16 03:00, Leonard Jacobs wrote:
>>
>> With one of the networks we monitor, the ISP was under a DDoS attack
>> yesterday. It appears that Suricata kept functioning the whole time the
>> attack was occurring because we kept seeing events. However, somewhere
>> along the way the IPS appeared to lock up. The appliance was rebooted
>> and everything came back to normal.
What do you mean by "lock up" - process stops responding or it
segfaults or something else?
Anything strange in the last update in stats.log?
>>
>> We run the IPS in AF-Packet mode. The actual network we monitor was not
>> directly under the DDoS attack but slow Internet response times was
>> experienced.
>>
>> Is it possible that Suricata was experiencing some resource exhaustion?
>> Logs did not show anything wrong.
>
>
> Hard to say without more info. If it would happen again before killing
> Suricata, could you attach to with gdb and create a back trace?
>
> gdb --attach $(pidof suricata)
>
> then inside gdb
>
> (gdb) set logging on
> (gdb) thread apply all bt
>
>
> Then press return till you get back to the prompt. Then type quit. This
> process has created a gdb.txt file containing a copy of the output that
> describe the state of the different threads. You can then attach this file
> to the bug report.
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC:
> http://oisfevents.net
--
Regards,
Peter Manev
_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Suricata User Conference November 9-11 in Washington, DC: http://oisfevents.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160127/e50684a1/attachment-0002.html>
More information about the Oisf-users
mailing list