Snort Rate Limiting

Posted on 2011-05-12
Last Modified: 2013-11-29
Good Afternoon,

I have a Windows 2008 dedicated server which runs a server daemon for the video game "Renegade".  This daemon has a serious flaw, any large quantity of any size UDP packets will cause it to crash.  Lately I have been experiencing serious problems with this, as one small computer can use a simple perl script to send several small (2-byte) packets to the server on port 5000 and crash it, in spite of the actual dedicated box being unaffected.

I have searched for the best solution for this, and the only thing I can come up with is to create a Snort rule using rate limiting to drop packets from an IP that has been sending a large number of them in a short time, however Snot is a bit difficult to learn.

I was hoping someone here might be able to provide me with a Snort rule to accomplish this, or perhaps another alternative to keep the server from crashing under this load.  It must be run on Windows and cannot be moved to Linux, where iptables would offer a simple solution.
Question by:PrivateKey
    LVL 9

    Accepted Solution

    The following snort rule will drop udp packets to your W2K8 server with payload size of more than 2 bytes .

    drop udp any -> W2k8-IP/24 5000 (dsize:> 2; msg: "UDP Packet attack";)

    LVL 9

    Expert Comment

    I think my answer is correct using snort. The other way around is to switch on windows firewall which comes by default on W2K8..

    LVL 38

    Expert Comment

    This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.

    Featured Post

    How does your email signature look on mobiles?

    Do your employees use mobile devices to reply to emails? With mobile becoming increasingly important to the business world, it is in your best interest to make sure that your email signature looks great across all types of devices.

    Join & Write a Comment

    These are on the increase and getting more common these days. Users who use the Google search engine may complain of having their search redirected to unwanted sites, regardless of what browser is used. This happens when the system is infected with…
    Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
    This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now