[prev in list] [next in list] [prev in thread] [next in thread]
List: security-onion
Subject: Re: [security-onion] SnortSam and Security Onion
From: jswan <sanjuanswan () gmail ! com>
Date: 2015-05-28 15:42:47
Message-ID: 547c561b-b585-44ac-9a29-902460fa9256 () googlegroups ! com
[Download RAW message or body]
On Thursday, May 28, 2015 at 5:25:00 AM UTC-6, Peter Griggs wrote:
> Hello,
>
> Yep, I have taken a look at those links and understand the risks, this is merely \
> for DDoS mitigation.
I realize that you're asking specifically about Snortsam, but for DDoS mitigation I'd \
recommend taking a look at Justin Azoff's BHR (Black Hole Router) project:
https://github.com/JustinAzoff
The problem with DDoS mitigation using ACLs is that modifying ACLs is usually slow, \
vulnerable to order-of-operation mistakes, and vulnerable to accidentally running out \
of TCAM space on some switch platforms if your ACLs get too big (which possible if \
you're building them programmatically).
BGP black holes are much more scalable (because they can be distributed dynamically \
across many BGP routers), and very fast.
In either solution, you need to whitelist a lot of stuff so you don't accidentally \
block, say, 8.8.8.8 when somebody spoofs it in a UDP flood.
Finally, one other thing to consider is using Bro to trigger your blocks. It's built \
into Security Onion, and it's fast and flexible for just this sort of thing.
Jay
--
You received this message because you are subscribed to the Google Groups \
"security-onion" group. To unsubscribe from this group and stop receiving emails from \
it, send an email to security-onion+unsubscribe@googlegroups.com. To post to this \
group, send email to security-onion@googlegroups.com. Visit this group at \
http://groups.google.com/group/security-onion. For more options, visit \
https://groups.google.com/d/optout.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic