|
Intrusion Detection Systems
mailing list archives
RE: SYN flood
From: panji () fmipa ipb ac id
Date: 16 Aug 2000 23:20:46 +0900
Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owner () uow edu au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
-----------------------------------------------------------------------------
Mr. Jacky
Thank's for your comment, i have been read book from mr. Stephen
Northcutt, he explain about SYN Flood very clearly, but he never talk about
range value for SYN. So, if you have some paper or resource about how to
maesure this value, please kindly inform to me.
Actually i want make some research about that, but i dont know where is the
point to start.
Regards,
Panji
Panji,
The reason whi it is hard to write a hard and fast anomoly
detection for a syn flood is due to a threshold concern. Some high
traffic web sites like yahoo.com may receive several hundred legitamte
SYN
packets within any given time, (which is how RealSecure detects
SYNFloods,
not sure about others), while others may be brought down with such
activity. So before you can adequately write a SYN flood decode to a
percise measure, you must know what is normal, and what is not. Given
this, many IDS vendors leave that up to the customer by providing them
with a threshold value to calibrate.
-blue0ne
Download NeoPlanet at http://www.neoplanet.com
 By Date 
By Thread
Current thread:
- SYN flood panji (Aug 16)
- <Possible follow-ups>
- RE: SYN flood panji (Aug 16)
| 
Intro
