Intrusion Detection Systems mailing list archives

Previous By Date Next
Previous By Thread Next

Re: RE: NFR DDOS problems

From: Jeff Nathan <jeff () wwti com>
Date: Thu, 10 May 2001 16:11:28 -0700
Archive: http://msgs.securepoint.com/ids
FAQ IDS: http://www.sans.org/newlook/resources/IDFAQ/ID_FAQ.htm
FAQ NIDS: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owner () uow edu au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
-----------------------------------------------------------------------------
Hi Justin,

I'm familiar with how it's designed to work with regards to parsing a
snort ruleset and create packets which will cause snort to alert. 
However, the point which I was making was that it appears that stick
will literally create packets such as a TCP packet with the ACK and PSH
flags set with an arbitrary payload that matches a snort signature.  An
IDS that is stateful may or may not be susceptible to stick based upon
its detection engine's mechanism of dealing with packets that aren't
part of any established TCP stream.

-Jeff

Justin.Linton () guardent com wrote:


Hello:

   Stick uses a snort rule base to create the attack but you could customize
the rule base so that it is common to IDS filters across different vendors
ie. the back orifice filter and other filters that almost all IDS have.

Take a look at this url.

http://www.eurocompton.net/stick/

Justin


-----Original Message-----
From: Jeff Nathan [mailto:jeff () wwti com]
Sent: May 10, 2001 3:51 PM
To: Justin.Linton () guardent com
Cc: JStClair () vredenburg com; ids () uow edu au
Subject: Re: IDS: RE: NFR DDOS problems


I'm a bit curious if this will even work against NFR as the intial
implementaion was simply designed to attack snort's alerting mechanism
and non-statefulness.

Have you tested NFR with stick?


Justin.Linton () guardent com wrote:


Archive: http://msgs.securepoint.com/ids
FAQ IDS: http://www.sans.org/newlook/resources/IDFAQ/ID_FAQ.htm
FAQ NIDS: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owner () uow edu au
NOTE: Remove this section from reply msgs otherwise the msg

will bounce.

SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au


--------------------------------------------------------------
---------------

Hello James:

     Do you mean will it start dropping packets if it is DDOSed?

     If you want to stress test NFR try Stick against it.

     You can get it at securityfocus.com in their tools section.

"Stick uses the Snort rule set and produces a C program via

lex that when

compiled will produce an IP packet capable of triggering

that rule from a

spoofed IP range (or all possible IP addresses) into a

target IP range. A

function is produced for each rule and a loop then executes

these rules in a

random order. The tool currently produces these at about

250 alarms per

second." Security Focus Web site.

    Of course this would depend on the n-code you have

enabled and how you

have it set to alert.

Best Regards,
Justin Linton
Security Consultant
____________________________________________
G U A R D E N T  C A N A D A
  Security | Privacy | Data Protection


-----Original Message-----
From: St. Clair, James [mailto:JStClair () vredenburg com]
Sent: May 8, 2001 2:11 PM
To: 'ids () uow edu au'
Subject: IDS: NFR DDOS problems



Any one hear of potential DDO problems with NFR, in particular
stacheldracht? Appreciate any feedback..

Jim



--
http://jeff.wwti.com          (pgp key available)
"Common sense is the collection of prejudices acquired by age
eighteen."
- Albert Einstein



-- 
http://jeff.wwti.com            (pgp key available)
"Common sense is the collection of prejudices acquired by age eighteen."
- Albert Einstein
Previous By Date Next
Previous By Thread Next

Current thread: