Intrusion Detection Systems mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SYN flood

From: "Nathan Carey" <ncarey () bigpond net au>
Date: Sun, 20 Aug 2000 23:18:04 +1000
Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owner () uow edu au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
-----------------------------------------------------------------------------
Your best bet is to simply measure a normal value on the target system
(using whatever network analysis tool you feel like) then arbitrarily decide
on a threshold value based on that. Depending on how the usage works, this
could be 20%, 50% or even 200% over the normal value. Basically - profile
the system, find out what is DEFINITELY over the normal usage, add a little,
and see how it works.
The choice of threshold values for statistical based IDS is probably the
hardest part of developing good, useful data on possible intrusions.

----- Original Message -----
From: <panji () fmipa ipb ac id>
To: <blue0ne () igloo org>
Cc: <ids () uow edu au>
Sent: Thursday, August 17, 2000 12:20 AM
Subject: RE: IDS: SYN flood



Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owner () uow edu au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
--------------------------------------------------------------------------

---

Mr. Jacky

Thank's for your comment, i have been read book from mr. Stephen
Northcutt, he explain about SYN Flood very clearly, but he never talk

about

range value for SYN. So, if you have some paper or resource about how to
maesure this value, please kindly  inform to me.

Actually i want make some research about that, but i dont know where is

the

point to start.

Regards,


Panji



Panji,
The reason whi it is hard to write a hard and fast anomoly
detection for a syn flood is due to a threshold concern.  Some high
traffic web sites like yahoo.com may receive several hundred legitamte

SYN

packets within any given time, (which is how RealSecure detects

SYNFloods,

not sure about others), while others may be brought down with such
activity.  So before you can adequately write a SYN flood decode to a
percise measure, you must know what is normal, and what is not.  Given
this, many IDS vendors leave that up to the customer by providing them
with a threshold value to calibrate.



-blue0ne






Download NeoPlanet at http://www.neoplanet.com
Previous By Date Next
Previous By Thread Next

Current thread: