Snort HTTP Flood

[Mornincupofhate]

How effective would it be to put a snort appliance in front of a web server and have it rate limit and drop attack packets? The reason I'm asking this is because I only see people using it for alert purposes, even during ddos attacks. I'm aware it will be useless in terms of mitigating bandwidth intensive floods.

[beersykins]

Probably a higher chance of false positives and impacting non malicious traffic.

[Mornincupofhate]

1 hour ago, beersykins said:

Probably a higher chance of false positives and impacting non malicious traffic.

Wouldn't the reverse proxy designed to do this do the same though? Essentially you're just rate limiting the packets, but Snort seems to out perform nginx reverse proxy in terms of packets per second.

[PineyCreek]

I'm unsure of the extent of what you're referring to with Snort appliance, but a fair number of IPS/IDS manufacturers allow for the usage of snort rules, or the conversion of snort rules to their filter/signature formats, which are then connected to whatever capabilities are contained in the appliances/applications the user applies those rules to.  False positives will entirely depend on the network environment and how specific and correct the snort rule is.

[Alex Atkin UK]

Wouldn't running something like fail2ban on the server achieve the same thing?  If it detects more packets than you would get for normal usage it blocks that IP temporarily.

 

Also adding some system that uses known IP attacker lists and blocks them would be useful.  I do this on my pfSense router to do this, including region blocklists, so that only regions I actually want get into the network at all.

 

Or you can feed your DNS through Cloudflare and let them proxy the connections.

[Mornincupofhate]

8 hours ago, Alex Atkin UK said:

Wouldn't running something like fail2ban on the server achieve the same thing?  If it detects more packets than you would get for normal usage it blocks that IP temporarily.

 

Also adding some system that uses known IP attacker lists and blocks them would be useful.  I do this on my pfSense router to do this, including region blocklists, so that only regions I actually want get into the network at all.

 

Or you can feed your DNS through Cloudflare and let them proxy the connections.

I would expect something like Snort or Suricata to have a higher throughput than something like fail2ban. 

[Mornincupofhate]

15 hours ago, PineyCreek said:

I'm unsure of the extent of what you're referring to with Snort appliance, but a fair number of IPS/IDS manufacturers allow for the usage of snort rules, or the conversion of snort rules to their filter/signature formats, which are then connected to whatever capabilities are contained in the appliances/applications the user applies those rules to.  False positives will entirely depend on the network environment and how specific and correct the snort rule is.

drop tcp any any -> 192.168.1.5 80 (msg:"GET Request flood attempt"; \
flow:to_server,established; content:"GET"; nocase; http_method; \
detection_filter:track by_src, count 30, seconds 30; metadata: service http;)

 

I would like to use something like this above ^. If a single host sends more than 30 packets in 30 seconds, all excess packets will be dropped until the 30 seconds are over, etc. All I'm wondering is if it would provide more throughput than something like fail2ban would, or NGinx's application rate limiter.