[Oisf-users] Can I block DDos attack via Suricata-IDS?

Cooper F. Nelson cnelson at ucsd.edu
Wed Feb 1 19:00:03 UTC 2017 

I'm running these rules:

> alert udp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"LOCAL DOS UDP port 80 flood inbound, Potential DOS"; threshold: type both, track by_dst, count 5000, seconds 5; classtype:misc-activity; sid:3;)
> alert udp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"LOCAL DOS UDP port 80 flood outbound, Potential DOS"; threshold: type both, track by_dst, count 5000, seconds 5; classtype:misc-activity; sid:4;)
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"LOCAL DOS SYN packet flood inbound, Potential DOS"; flow:to_server; flags: S,12; threshold: type both, track by_dst, count 5000, seconds 5; classtype:misc-activity; sid:5;)
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"LOCAL DOS SYN packet flood outbound, Potential DOS"; flow:to_server; flags: S,12; threshold: type both, track by_dst, count 5000, seconds 5; classtype:misc-activity; sid:6;)

When they trigger we investigate and take action as required.

Note that these sigs cause high load on a busy sensor.  And somewhat
ironically, the "SYN flood" sigs will DOS suricata itself when
experiencing a SYN flood.  This is ok for us, though, as we'll take
action to prevent the attack.

-Coop

On 2/1/2017 3:03 AM, Jason Long wrote:
> I need the user ideas and experiences.
> --------------------------------------------
> On Mon, 1/30/17, Jason Long <hack3rcon at yahoo.com> wrote:
> 
>  Subject: Can I block DDos attack via Suricata-IDS?
>  To: "Oisf-users" <oisf-users at lists.openinfosecfoundation.org>
>  Date: Monday, January 30, 2017, 3:58 AM
>  
>  Hello.Can I use Suricata-IDS for
>  block DDos attacks?
>  Thank you.
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> 


-- 
Cooper Nelson
Network Security Analyst
UCSD ITS Security Team
cnelson at ucsd.edu x41042

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170201/a97cfa17/attachment-0002.sig>

More information about the Oisf-users mailing list