OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: SYNFLOOD
From: kstephe6csc.com
Date: Fri Jul 07 2000 - 15:41:41 CDT


TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
majordomoiss.net Contact issforum-owneriss.net for help with any problems!
----------------------------------------------------------------------------

Lets try for a little more clarity.

Exactly how do you pick the IP address that is placed in the Event's SPOOFEDSRC
Info Value that appears in the Event Inspector on the Console. If my
PacketsPerEvent is set to 500 which packet do you pull the IP address from. Is
it the IP address in the first of the series of packets that triggers the Event
notification? Is it from the last packet that triggers the Event notification?
Please be specific on where you get the address .
Thanks!

 Ken Stephens, CISSP
Sr. Security Manager
Computer Sciences Corporation

Supportiss.net on 07/07/2000 11:28:21 AM

To: issforumiss.net, jason.axleyattws.com, MTalor00aol.com,
      earleyrgordon.army.mil
cc: SDroskiiss.net (bcc: Kenneth Stephens/GIS/CSC)
Subject: Re: SYNFLOOD

TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
majordomoiss.net Contact issforum-owneriss.net for help with any problems!
----------------------------------------------------------------------------

***Note- I am not a member of the forum, but I was asked to post this for
clarification.

     In a SYNFlood attack, the attacker is likely to be using a tool
capable of spoofing the source address for each SYN packet (since no
connection is required and it is fairly easy to spoof addresses.) If the
attacker used an entire Class A as the source and the detector reported
every address to the console, the console would quickly become overwhelmed
and the event buffer would be forced to cycle several times. The reason
that we always report the source as 0.0.0.0 is to protect the console from
being flooded in case of a real attack. The real IP addresses can still be
seen if the event is accessed in one of two ways. First, you can right
click on the event in the Activity Tree and look in the info field.
Secondly, you can see the real addresses if the Db is synced and you open
rsntclientlog.mdb in MSAccess. Under 'forms' you will find the event
inspector. The event inspector will give you a great deal of information on
all RSevents. It includes ports, addresses, and MAC addresses. In the
bottom of the event inspector, there is a tag section that will show you the
translated value of decode specific information. In the case of a SYNFlood,
the tag is SPOOFEDSRC and the value is the actual address.
     One other point to note: the thread that was emailed to me stated
that the 0.0.0.0 made it hard to filter SYNFlood. SYNFlood (along with a
few other decodes) is not filterable. The reason for this is simple-
performance. In a real SYNFlood, thousands of packets are going to be
involved. If the engine passed all of these up and evaluated them against
all of the filters, performance on the engine would be effected. If you
have any questions about using the Event Inspector, SYNFlood, or any other
RS questions, feel free to drop us a line. Our support numbers and email
address can be found below. Thanks for using RealSecure.

=================================================================
John Pierce Internet Security Systems, Inc.
IDS Team Lead Phone - (678) 443-6400
Tech Support - 1-888-447-4861
supportiss.net Fax - (678) 443-6485
www.iss.net ftp.iss.net

Privacy Statement: http://www.iss.net/tech/support.php3
PGP Public Keys:
http://www.iss.net/customer_care/resource_center/sensitive.php

=================================================================