[prev in list] [next in list] [prev in thread] [next in thread] 

List:       security-onion
Subject:    Re: [security-onion] SnortSam and Security Onion
From:       jswan <sanjuanswan () gmail ! com>
Date:       2015-05-28 15:42:47
Message-ID: 547c561b-b585-44ac-9a29-902460fa9256 () googlegroups ! com
[Download RAW message or body]


On Thursday, May 28, 2015 at 5:25:00 AM UTC-6, Peter Griggs wrote:
> Hello,
> 
> Yep, I have taken a look at those links and understand the risks, this is merely \
> for DDoS mitigation. 

I realize that you're asking specifically about Snortsam, but for DDoS mitigation I'd \
recommend taking a look at Justin Azoff's BHR (Black Hole Router) project:

https://github.com/JustinAzoff

The problem with DDoS mitigation using ACLs is that modifying ACLs is usually slow, \
vulnerable to order-of-operation mistakes, and vulnerable to accidentally running out \
of TCAM space on some switch platforms if your ACLs get too big (which possible if \
you're building them programmatically).

BGP black holes are much more scalable (because they can be distributed dynamically \
across many BGP routers), and very fast.

In either solution, you need to whitelist a lot of stuff so you don't accidentally \
block, say, 8.8.8.8 when somebody spoofs it in a UDP flood.

Finally, one other thing to consider is using Bro to trigger your blocks. It's built \
into Security Onion, and it's fast and flexible for just this sort of thing.

Jay

-- 
You received this message because you are subscribed to the Google Groups \
"security-onion" group. To unsubscribe from this group and stop receiving emails from \
it, send an email to security-onion+unsubscribe@googlegroups.com. To post to this \
group, send email to security-onion@googlegroups.com. Visit this group at \
http://groups.google.com/group/security-onion. For more options, visit \
https://groups.google.com/d/optout.



[prev in list] [next in list] [prev in thread] [next in thread]