1 Reply Latest reply on Oct 6, 2017 7:42 AM by mesverrum

    Flood traffic

    kdevmu

      My question is in reference to the Denial of service attack. If there is a Denial of service attack on the monitored device than how LEM will react to that traffic? Will it log all the events of DOS attack or specific? Any filtering done at agent level in forwarding filtered DOS attack events?

       

      Asking this as I think if there is a DOS attack on monitored device and if all events are stored on SIEM then SIEM storage space will run out quickly.

        • Re: Flood traffic
          mesverrum

          The SIEM does not do any filtering as it would undermine it as being the one source of truth and all that, it just tries to keep up as best it can.  It is possible that the appliance might be overwhelmed by an unusually high volume of incoming messages coming from a lot of devices and the devices sending the messages could end using all their CPU just trying to address the messages (I've seen that happen while testing poorly configured File Integrity Monitors) but that is basically just what you expect from a DOS, keep spamming a target until it can't handle the load. If LEM tries to do some trick to drop messages during a spike then the attacker just needs to ramp up the message rate because sooner or later there will always be a limit. As far as disk space goes LEM and the agents compress the messages to a pretty fantastic degree so I would really expect that to be the least likely bottleneck in the process, and you can expand the disks to 2 TB, it holds a ridiculous amount of messages.  All you can really do to mitigate DOS as far as LEM goes would be to overspec your hardware.

          1 of 1 people found this helpful