Hi everyone.
I need to know what kind of setting do I have to configure on suricata.yaml or the rules to prevent my host from SYN Flood.
I’ve been configure it to drop it using these following rule:
drop http any any → $HOME_NET 80 (msg:“HPING3”; ttl:64; flags:S; threshold:type threshold; track by_dst, count 100, seconds 5; classtype:attempted-dos; sid:1; rev:1; metadata:created_at 2020_06_11, updated_at 2020_06_11;)
but the problem then is that every http request from the client cannot be processed because iptables is blocking port 80.
Is there any reference for this thing? I’ve been looking for it, but the topic on suricata is too broad, whereas I have little time to finish this.
hope anyone can help me solve this problem
Is the existing rule activated or replaced by a new rule?
what else do I need to change? maybe in suricata.yaml, or additional rules? I tried the rate_filter that you said, but on fast.log doesn’t detect or detect anything. Anyway I used hping3 (SYN flag) to do the attack.
I already changed http to tcp, so the rule is:
drop tcp any any → $HOME_NET 80 (msg:“HPING3”; ttl:64; flags:S; threshold:type threshold; track by_dst, count 100, seconds 5; classtype:attempted-dos; sid:1; rev:1; metadata:created_at 2020_06_11, updated_at 2020_06_11;)
This rule would drop all SYN packets being sent to the server on port 80. Would it be better to do track by_src so you oinly drop packets from the supposed SYN packet spammer?
A rule like this
alert tcp any any -> $HOME_NET any (msg:"HPING3"; ttl:64; flags:S; sid:1; rev:1;)
would drop all packets from any ip sending more than 100 syn packets in less than 5 seconds to any HOME_NET IP. The spamming IP would be unblocked after 30 seconds.
The downside to this approach is that the rule will flood your alert logs due to triggering on all SYN packets when not dropping.
I have not actually tested this and might have misunderstood Victor.
I believe there is another Suricata running. The eve.jsonalert record has a in_iface field, which has a value of vboxnet0. The NFQUEUE mode doesn’t set this. It also still shows 0 packets in the screenshot.
No, its either one or the other. You can of course run multiple instances of Suricata, but you’ll have to make sure they don’t get in each others way by specifying unique paths.
It is probably easiest if you only use the NFQUEUE-suricata while testing. So start that & make sure no other Suricata is running. Then run your hping test, and check:
iptables -v -L to see if the packet counters for the NFQUEUE rules are increasing as you expect