In message <Pine.LNX.3.91.960917030857.17180B-100000@IMgate.iMach.com>, "Forres t W. Christian" writes:
Maybe I'm missing something here, but wouldn't these Denial of Service attacks cause a severe mismatch in the numbers of SYNs and SYN-ACKs on a given router interface?
If so, then couldn't we just sweet-talk cisco into providing 5 minute counts of syns and syn-acks on an interface? You know something like:
5 minute SYNS: 123423 5 minute SYN-ACKS: 50000
Then, if the ratio got too high, it can start yelping about "Potential SYN D-O-S Atttack in progress on Interface Serial 1"
In this manner "good" isp's wouldn't unknowingly carry these attacks. I envision this being done on the somewhat bigger isp's where putting inbound filters on their customer interfaces would be not a good idea (Sprint, MCI, Net 99, etc.). If the feature was enabled by default, some smaller ISPs would probably notice it--if they are watching their cisco logs at all.
Personally, I know that these attacks aren't going to originate at our site, as I have the filters on. However, I am quite concerned about getting hit with one...
-forrestc@imach.com
That's a really good idea. Cutting the sample interval (60 seconds, configurable) and generating an SNMP trap would be a good idea too. You'd also want absolute and percent threshholds on the traps. This shouldn't be tough except at the very high end router vendors hate looking inside each packet for anything (especially if they have ASICs helping with some of the forwarding work). Just need the protocol number in the IP field and the TCP SYN and ACK bits and two counters. Curtis