[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IDS: SYN flood

To: panji@fmipa.ipb.ac.id
Subject: Re: IDS: SYN flood
From: Jackie Chan <blue0ne@igloo.org>
Date: Wed, 16 Aug 2000 10:01:01 -0400 (EDT)
Cc: ids@uow.edu.au

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owner@uow.edu.au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomo@uow.edu.au
-----------------------------------------------------------------------------
Panji,
        The reason whi it is hard to write a hard and fast anomoly
detection for a syn flood is due to a threshold concern.  Some high
traffic web sites like yahoo.com may receive several hundred legitamte SYN
packets within any given time, (which is how RealSecure detects SYNFloods,
not sure about others), while others may be brought down with such
activity.  So before you can adequately write a SYN flood decode to a
percise measure, you must know what is normal, and what is not.  Given
this, many IDS vendors leave that up to the customer by providing them
with a threshold value to calibrate.



-blue0ne

On 16 Aug 2000 panji@fmipa.ipb.ac.id wrote:

> Archive: http://msgs.securepoint.com/ids
> FAQ: http://www.ticm.com/kb/faq/idsfaq.html
> IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
> HELP: Having problems... email questions to ids-owner@uow.edu.au
> NOTE: Remove this section from reply msgs otherwise the msg will bounce.
> SPAM: DO NOT send unsolicted mail to this list.
> UNSUBSCRIBE: email "unsubscribe ids" to majordomo@uow.edu.au
> 
>-----------------------------------------------------------------------------
> Hi,
> My name Panji, i just learning about Intrusion detection system to fullfil 
>my 
> thesis. And i trying to make anomaly analysts from SYN flood. After i read 
> some paper, i didn't any fiz value or limit value from packet that can be 
> categorized as intrusion.
> 
> and i am sorry, if my question just basicly problem.
> 
> regards,
> 
> panji
> 
> 
> 
> Download NeoPlanet at http://www.neoplanet.com
>

Prev by Date: IDS: SYN flood
Next by Date: RE: IDS: SYN flood
Prev by thread: IDS: SYN flood
Next by thread: RE: IDS: SYN flood
Index(es):
- Date
- Thread