 
            I'm wondering if this is not quite the panacea that it appears. More thought is certainly required here... asymmetry being a problem that leaps to mind. - paul At 01:02 PM 9/17/96 -0700, Vadim Antonov wrote:
This is the excellent idea! Actually, router vendors may simply add a feature which shuts down the interface if SYN/SYN-ACK balance is too bad -- thus disconnecting the hacker-to-be.
Of course, that balance may be decaying with time, so repeated unsuccessful attempts to connect won't trigger alarms.
--vadim
Forrest W. Christian <forrestc@iMach.com> wrote:
Maybe I'm missing something here, but wouldn't these Denial of Service attacks cause a severe mismatch in the numbers of SYNs and SYN-ACKs on a given router interface?
If so, then couldn't we just sweet-talk cisco into providing 5 minute counts of syns and syn-acks on an interface?
 
            is there that much asymmetry in the very leaves of the network? i live in the asymmetry at the middle of the network but of the folks who are multihomed customers of NSP's, is it that case that asymmetry prevails in single streams of communication? don't most multihomed customers of NSP's engineer a preferred transit? if i'm multihomed to two providers i've already done something to balance my traffic and to make sure that i have fail-over. i accept x routes on connection 1 and y routes on connection 2. outgoing, i might pad my AS on connection 2 and point default on connection 1. i might point a higher metric default out connection 2, or perhaps i'm defaultless and tag routes as i hear them based on my own policy. there are a million ways to do it, but because of the way it's been done usually i wonder if there are that many cases of asymmetry at the edge. i guess the one common thread of this discussion is that whatever must be done, must be done on the edges of the internet. and that's not a cop out, we have as many edge cases as we have connections to isp's. Jeff Young young@mci.net
Return-Path: owner-nanog@merit.edu Received: from merit.edu (merit.edu [35.1.1.42]) by postoffice.Reston.mci.net (8.7.5/8.7.3) with ESMTP id IAA23210; Wed, 18 Sep 1996 08:09:00 -0400 (EDT) Received: from localhost (daemon@localhost) by merit.edu (8.7.5/merit-2.0) with SMTP id HAA10629; Wed, 18 Sep 1996 07:58:10 -0400 (EDT) Received: by merit.edu (bulk_mailer v1.5); Wed, 18 Sep 1996 07:52:40 -0400 Received: (from daemon@localhost) by merit.edu (8.7.5/merit-2.0) id HAA10473 for nanog-outgoing; Wed, 18 Sep 1996 07:52:39 -0400 (EDT) Received: from diablo.cisco.com (diablo.cisco.com [171.68.223.106]) by merit.edu (8.7.5/merit-2.0) with SMTP id HAA10458 for <nanog@merit.edu>; Wed, 18 Sep 1996 07:52:35 -0400 (EDT) Received: from pferguso-pc.cisco.com (c1robo7.cisco.com [171.68.13.7]) by diablo.cisco.com (8.6.12/CISCO.SERVER.1.1) with SMTP id EAA00468; Wed, 18 Sep 1996 04:51:57 -0700 Message-Id: <2.2.32.19960918115156.0069a490@lint.cisco.com> X-Sender: pferguso@lint.cisco.com (Unverified) X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Date: Wed, 18 Sep 1996 07:51:56 -0400 To: Vadim Antonov <avg@quake.net> From: Paul Ferguson <pferguso@cisco.com> Subject: Re: New Denial of Service Attack on Panix Cc: nanog@merit.edu, iepg@iepg.org Sender: owner-nanog@merit.edu Content-Type: text/plain; charset="us-ascii" Content-Length: 883
I'm wondering if this is not quite the panacea that it appears. More thought is certainly required here... asymmetry being a problem that leaps to mind.
- paul
At 01:02 PM 9/17/96 -0700, Vadim Antonov wrote:
This is the excellent idea! Actually, router vendors may simply add a feature which shuts down the interface if SYN/SYN-ACK balance is too bad -- thus disconnecting the hacker-to-be.
Of course, that balance may be decaying with time, so repeated unsuccessful attempts to connect won't trigger alarms.
--vadim
Forrest W. Christian <forrestc@iMach.com> wrote:
Maybe I'm missing something here, but wouldn't these Denial of Service attacks cause a severe mismatch in the numbers of SYNs and SYN-ACKs on a given router interface?
If so, then couldn't we just sweet-talk cisco into providing 5 minute counts of syns and syn-acks on an interface?
participants (2)
- 
                 Jeff Young Jeff Young
- 
                 Paul Ferguson Paul Ferguson