Project

General

Profile

Actions

Bug #2013

open

failure of TCP after DOS attack

Added by Rahul Surya almost 6 years ago. Updated over 3 years ago.

Status:
New
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Hi,
I am using suricata-3.1.2 as DUT and we are using 3 machine setup server(connecting to WAN)<--->DUT<--->client and in rules i added dos attack rule

"drop tcp any any -> any any (flags: S; msg:"Possible TCP DoS"; flow: stateless; detection_filter:track by_dst, count 100, seconds 5; sid:10001;rev:1)"

and making hping from client "hping3 -S -p 80 --flood --rand-source <server ip>" so it will take care of sending different source ips to destination ip.

So DUT is able to stop this DOS attack after allowing 100 count of source ips,and after that i am stopping this hping traffic and accessing the server through ftp or accessing any website facebook or any other ,so that DUT is not allowing any traffic of TCP after DOS attack.(these file access and website access doesnt send 100 packets in 5 seconds). and logging of rule is getting happened.

Actions

Also available in: Atom PDF