[Oisf-users] Can I block DDos attack via Suricata-IDS?

Peter Manev petermanev at gmail.com
Wed Feb 1 21:04:15 UTC 2017 

On Wed, Feb 1, 2017 at 8:00 PM, Cooper F. Nelson <cnelson at ucsd.edu> wrote:
> I'm running these rules:
>
>> alert udp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"LOCAL DOS UDP port 80 flood inbound, Potential DOS"; threshold: type both, track by_dst, count 5000, seconds 5; classtype:misc-activity; sid:3;)
>> alert udp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"LOCAL DOS UDP port 80 flood outbound, Potential DOS"; threshold: type both, track by_dst, count 5000, seconds 5; classtype:misc-activity; sid:4;)
>> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"LOCAL DOS SYN packet flood inbound, Potential DOS"; flow:to_server; flags: S,12; threshold: type both, track by_dst, count 5000, seconds 5; classtype:misc-activity; sid:5;)
>> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"LOCAL DOS SYN packet flood outbound, Potential DOS"; flow:to_server; flags: S,12; threshold: type both, track by_dst, count 5000, seconds 5; classtype:misc-activity; sid:6;)
>
> When they trigger we investigate and take action as required.
>
> Note that these sigs cause high load on a busy sensor.  And somewhat
> ironically, the "SYN flood" sigs will DOS suricata itself when
> experiencing a SYN flood.  This is ok for us, though, as we'll take
> action to prevent the attack.
>

Coop you may want to try the prefilterer keyword -  it should offer
performance benefit in your case i think.
Cpl of examples:
http://suricata.readthedocs.io/en/latest/rules/prefilter.html
https://github.com/inliniac/suricata/commit/56239690d041a55ae9c74f6d925d1ae25d48b526
(feedback is welcome)

> -Coop
>
> On 2/1/2017 3:03 AM, Jason Long wrote:
>> I need the user ideas and experiences.
>> --------------------------------------------
>> On Mon, 1/30/17, Jason Long <hack3rcon at yahoo.com> wrote:
>>
>>  Subject: Can I block DDos attack via Suricata-IDS?
>>  To: "Oisf-users" <oisf-users at lists.openinfosecfoundation.org>
>>  Date: Monday, January 30, 2017, 3:58 AM
>>
>>  Hello.Can I use Suricata-IDS for
>>  block DDos attacks?
>>  Thank you.
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
>
>
> --
> Cooper Nelson
> Network Security Analyst
> UCSD ITS Security Team
> cnelson at ucsd.edu x41042
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>



-- 
Regards,
Peter Manev

More information about the Oisf-users mailing list