[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IDS: SYN flood

To: panji <panji@fmipa.ipb.ac.id>, blue0ne@igloo.org
Subject: Re: IDS: SYN flood
From: Nathan Carey <ncarey@bigpond.net.au>
Date: Sun, 20 Aug 2000 23:18:04 +1000
Cc: ids@uow.edu.au

    [ The following text is in the "iso-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owner@uow.edu.au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomo@uow.edu.au
-----------------------------------------------------------------------------
Your best bet is to simply measure a normal value on the target system
(using whatever network analysis tool you feel like) then arbitrarily decide
on a threshold value based on that. Depending on how the usage works, this
could be 20%, 50% or even 200% over the normal value. Basically - profile
the system, find out what is DEFINITELY over the normal usage, add a little,
and see how it works.
The choice of threshold values for statistical based IDS is probably the
hardest part of developing good, useful data on possible intrusions.

----- Original Message -----
From: <panji@fmipa.ipb.ac.id>
To: <blue0ne@igloo.org>
Cc: <ids@uow.edu.au>
Sent: Thursday, August 17, 2000 12:20 AM
Subject: RE: IDS: SYN flood


> Archive: http://msgs.securepoint.com/ids
> FAQ: http://www.ticm.com/kb/faq/idsfaq.html
> IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
> HELP: Having problems... email questions to ids-owner@uow.edu.au
> NOTE: Remove this section from reply msgs otherwise the msg will bounce.
> SPAM: DO NOT send unsolicted mail to this list.
> UNSUBSCRIBE: email "unsubscribe ids" to majordomo@uow.edu.au
> --------------------------------------------------------------------------
---
> Mr. Jacky
>
> Thank's for your comment, i have been read book from mr. Stephen
> Northcutt, he explain about SYN Flood very clearly, but he never talk
about
> range value for SYN. So, if you have some paper or resource about how to
> maesure this value, please kindly  inform to me.
>
> Actually i want make some research about that, but i dont know where is
the
> point to start.
>
> Regards,
>
>
> Panji
>
>
> > Panji,
> > The reason whi it is hard to write a hard and fast anomoly
> > detection for a syn flood is due to a threshold concern.  Some high
> > traffic web sites like yahoo.com may receive several hundred legitamte
> SYN
> > packets within any given time, (which is how RealSecure detects
> SYNFloods,
> > not sure about others), while others may be brought down with such
> > activity.  So before you can adequately write a SYN flood decode to a
> > percise measure, you must know what is normal, and what is not.  Given
> > this, many IDS vendors leave that up to the customer by providing them
> > with a threshold value to calibrate.
> >
> >
> >
> > -blue0ne
> >
>
>
>
>
> Download NeoPlanet at http://www.neoplanet.com
>
>

Prev by Date: RE: IDS: SYN flood
Next by Date: IDS: FW: [NEWS] An inspection of FireWall-1 reveals holes(Long)
Prev by thread: RE: IDS: SYN flood
Next by thread: IDS: FW: [NEWS] An inspection of FireWall-1 reveals holes(Long)
Index(es):
- Date
- Thread