[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: IDS: SYN flood

To: blue0ne@igloo.org
Subject: RE: IDS: SYN flood
From: panji@fmipa.ipb.ac.id
Date: 16 Aug 2000 23:20:46 +0900
Cc: ids@uow.edu.au

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owner@uow.edu.au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomo@uow.edu.au
-----------------------------------------------------------------------------
Mr. Jacky

Thank's for your comment, i have been read book from mr. Stephen 
Northcutt, he explain about SYN Flood very clearly, but he never talk about 
range value for SYN. So, if you have some paper or resource about how to 
maesure this value, please kindly  inform to me. 

Actually i want make some research about that, but i dont know where is the 
point to start.

Regards,


Panji 


> Panji,
>       The reason whi it is hard to write a hard and fast anomoly
> detection for a syn flood is due to a threshold concern.  Some high
> traffic web sites like yahoo.com may receive several hundred legitamte 
SYN
> packets within any given time, (which is how RealSecure detects 
SYNFloods,
> not sure about others), while others may be brought down with such
> activity.  So before you can adequately write a SYN flood decode to a
> percise measure, you must know what is normal, and what is not.  Given
> this, many IDS vendors leave that up to the customer by providing them
> with a threshold value to calibrate.
> 
> 
> 
> -blue0ne
> 




Download NeoPlanet at http://www.neoplanet.com

Prev by Date: Re: IDS: SYN flood
Next by Date: Re: IDS: SYN flood
Prev by thread: Re: IDS: SYN flood
Next by thread: Re: IDS: SYN flood
Index(es):
- Date
- Thread