bg_image
header

Intrusion Detection Systems - IDS

Intrusion Detection Systems (IDS) are security solutions designed to continuously monitor networks or computer systems and look for potential security breaches or attacks. The purpose of an Intrusion Detection System is to detect suspicious activities that may indicate an intrusion into a network or system, and subsequently trigger alerts or take actions to ensure security.

There are two main types of Intrusion Detection Systems:

  1. Network-based Intrusion Detection Systems (NIDS): These systems monitor the traffic within a network and look for anomalies or known attack patterns. They analyze packets being transmitted across the network to detect suspicious activities that may indicate an attack or security breach.

  2. Host-based Intrusion Detection Systems (HIDS): In contrast to NIDS, HIDS monitor activities on individual hosts or computers. They monitor system logs, file systems, and other system resources for signs of attacks or unusual behavior that may indicate a security breach.

An Intrusion Detection System can be either signature-based or behavior-based:

  • Signature-based IDS: These detect attacks based on pre-defined patterns or signatures of known attacks. They compare network traffic or system behavior to a database of known attack signatures and trigger an alert when matches are found.

  • Behavior-based IDS: These analyze the normal behavior of the network or system and look for deviations or anomalies that may indicate potential attacks. They operate on the principle that attacks often cause unusual activities that deviate from normal operational behavior.

Intrusion Detection Systems play a crucial role in monitoring and securing networks and computer systems by responding early to potential threats and detecting security breaches to take appropriate countermeasures.

 


SYN Flood attack

A SYN Flood attack is a specific type of DDoS (Distributed Denial of Service) attack aimed at overwhelming the resources of a target computer, service, or network. The term "SYN" refers to the SYNchronization bit in TCP/IP communication, used for establishing a connection between a client and a server.

In a SYN Flood attack, the attacker sends a large number of SYN requests (Synchronization requests) to the target system but never completes the connection by sending the corresponding ACK responses (Acknowledgement) to the SYN-ACK packets (Synchronization-Acknowledgement) from the target system. The target system then waits for the final acknowledgment and reserves resources for these open connections. However, since the attacker doesn't send final acknowledgments, these connections remain open and consume resources on the target system. When enough open connections are generated, the resources of the target system are depleted, leading to a denial of service and making it inaccessible to legitimate users.

A SYN Flood attack exploits the way the TCP/IP protocol operates and is one of the most common techniques used in DDoS attacks. Countermeasures such as SYN cookies and SYN proxying can help mitigate the effects of SYN Flood attacks.