On Wed, 18 Sep 1996, Vadim Antonov wrote:

...

This ratio detection doesn't need to shutdown anything, just syslog the fact so that admins have something in their logs like SYN/ACK RATIO 33:1 POSSIBLE HACKER ATTACK which will make them sit up and take notice.

Ah, you're an optimist.

*smile*

Most sysadmins would simply ignore whatever warnings they get as long as their internal users aren't complaining.

And half of them wouldn't know what SYN/ACK ratio is.

That's why the word "HACKER" has to be in the message. Over time we can get the word out that if you are having wierd problems you should make sure your router is pointed to a syslog host and then try grep HACKER /var/log/* Besides, some admins do browse through logs from time to time. I can't count how many times the Linuxisp mailing list has seen the question: I was looking through my logs and I see these messages about named and recvfrom failed... This is a rather innocuous problem caused by running an old beta version of BIND and doesn't generally cause any other symptoms. Maybe more people read logs than you think.... Michael Dillon - ISP & Internet Consulting Memra Software Inc. - Fax: +1-604-546-3049 http://www.memra.com - E-mail: michael@memra.com