Re: router syn/syn-ack/ack alarming...
Alex, I agree with much of your analysis, but would argue that the two techniques of: - source address filtering and - syn/synack/ack ratio detection are *complementary* approaches, both of which have promise. Due to asymmetric routes and other reasons, neither seems very promising within core routers. Source address filtering, however, should become standard practice near the edge of the net and help control attacks near the source host. Syn/synack/ack ratio detection is complementary, since it could help detect an attack near the destination host. I am also a bit skeptical about the idea of automatically shutting down an interface upon noticing anomolies in the ratios, but that does not detract from the value of ratio anomoly detection as a valuable network management technique. -- Guy At 09:48 PM 9/17/96 +0100, Alex.Bligh wrote:
um... maybe i'm missing the clue here, but if the router vendors add something that shuts down an interface if the SYN/SYN-ACK/ACK ratio becomes too bad make it *easier* for me if i'm doing a denial of service attack on a host?
On "core" (whatever that means) you only need an extra couple of hundred SYNs /sec to be passing through an attack, on many many 000s of SYNs per sec. On customer facing routers, much easier just to block packets with source addresses not on customer LANs. IE where your solution would help, one can already fix the problem w/o a s/w change.
Alex Bligh Xara Networks
On Wed, 18 Sep 1996, Guy T Almes wrote:
the source host. Syn/synack/ack ratio detection is complementary, since it could help detect an attack near the destination host.
It could also help detect an attack near the source host which would help *GREATLY* in tracing the perpetrator of the attacks. This ratio detection doesn't need to shutdown anything, just syslog the fact so that admins have something in their logs like SYN/ACK RATIO 33:1 POSSIBLE HACKER ATTACK which will make them sit up and take notice. Michael Dillon - ISP & Internet Consulting Memra Software Inc. - Fax: +1-604-546-3049 http://www.memra.com - E-mail: michael@memra.com
participants (2)
-
Guy T Almes
-
Michael Dillon