Guy T Almes <almes@advanced.org> wrote:
- source address filtering and - syn/synack/ack ratio detection are *complementary* approaches, both of which have promise.
Absolutely.
Due to asymmetric routes and other reasons, neither seems very promising within core routers.
There's also an issue of performance -- you don't want to burden core routers with flitering. However, on customer access circuits it is quite feasible.
Syn/synack/ack ratio detection is complementary, since it could help detect an attack near the destination host.
I actually thought about using it at incoming traffic. I.e. not to allow garbadge in the backbone in the first place. On incoming traffic the disbalance may simply trigger an alarm.
I am also a bit skeptical about the idea of automatically shutting down an interface upon noticing anomolies in the ratios, but that does not detract from the value of ratio anomoly detection as a valuable network management technique.
I think there's no problem with automatic cut-offs in case of obviously invalid traffic patterns. Practically all traffic on customer access circuits is symmetrical. The automatic shut-off has the advantage of isolating the problem (be it an attacker or a workstation going berserk) immediately, where doing it manually after alarms were tripped may take several hours, which is clearly unacceptable for most people who use Internet to do business. Performing statictical monitoring of input traffic by multihomed customers may be a matter of service contract -- in the same place as requirements to ensure sanity of routing information originated by the same customer. --vadim