Project

General

Profile

Actions

Bug #2013

open

failure of TCP after DOS attack

Added by Rahul Surya almost 6 years ago. Updated over 3 years ago.

Status:
New
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Hi,
I am using suricata-3.1.2 as DUT and we are using 3 machine setup server(connecting to WAN)<--->DUT<--->client and in rules i added dos attack rule

"drop tcp any any -> any any (flags: S; msg:"Possible TCP DoS"; flow: stateless; detection_filter:track by_dst, count 100, seconds 5; sid:10001;rev:1)"

and making hping from client "hping3 -S -p 80 --flood --rand-source <server ip>" so it will take care of sending different source ips to destination ip.

So DUT is able to stop this DOS attack after allowing 100 count of source ips,and after that i am stopping this hping traffic and accessing the server through ftp or accessing any website facebook or any other ,so that DUT is not allowing any traffic of TCP after DOS attack.(these file access and website access doesnt send 100 packets in 5 seconds). and logging of rule is getting happened.

Actions #1

Updated by Rahul Surya almost 6 years ago

This BUG ID registered in 1992 is similar type ,but i am not restarting our DUT.

Actions #2

Updated by Andreas Herz almost 6 years ago

  • Assignee set to Anonymous
  • Target version set to TBD

For #1992 I asked for more details and that applies here as well. So could you be more verbose about how you run suricata, how you did configure the IPS mode etc.?

And what would you expect after the hping drops? That ftp/http is working after some time?

Actions #3

Updated by Rahul Surya almost 6 years ago

I am running suricata on single queue with this command "sudo suricata -c /etc/suricata/suricata.yaml -q 0" by loading my own rule file consisting a blocking rule for dos

"drop tcp any any -> any any (flags: S; msg:"Possible TCP DoS"; flow: stateless; detection_filter:track by_dst, count 100, seconds 5; sid:10001;rev:1)"
So this rule will block only all tcp traffic (dos attack) if countflow of 100 increases after 5 seconds.And the rule is getting logged and i am sending traffic through "hping3 -S -p 80 --flood --rand-source <server ip>" and now i stopped hping (dos attack).

Now whatever tcp traffic flowing through the DUT after sending DOS traffic is also getting hit by the dos rule even i am sending the taffic of less flow <100 what i mentioned in rule.

so i am unable to rprocess any kind of tcp taffic after pumping DOS attack.

Actions #4

Updated by Rahul Surya almost 6 years ago

I mentioned my procedure of testing above
otherwise can you mention how you are testing DOS attack,and rule you are configuring and are there are any changes to be made in suricat.yaml to test DOS attack ?

Actions #5

Updated by Rahul Surya almost 6 years ago

Rahul Surya wrote:

I mentioned my procedure of testing above
otherwise can you mention how you are testing DOS attack,and rule you are configuring and are there are any changes to be made in suricat.yaml to test DOS attack ?

i didnt change any suricat.yaml file whatever default yaml i am using that one..and using suricat-3.1.2

Actions #6

Updated by Andreas Herz almost 4 years ago

  • Assignee set to Community Ticket
Actions #7

Updated by Andreas Herz over 3 years ago

Can you still reproduce that with a current version?

Actions

Also available in: Atom PDF