um... maybe i'm missing the clue here, but if the router vendors add something that shuts down an interface if the SYN/SYN-ACK/ACK ratio becomes too bad make it *easier* for me if i'm doing a denial of service attack on a host? instead of denying service to a given host, all i have to do is drive the router into alarm mode so it shuts off the interface and then i get to deny service to an entire segment and everything downstream from that segment... here's to better bang for your cracker-kiddie buck... --regis
um... maybe i'm missing the clue here, but if the router vendors add something that shuts down an interface if the SYN/SYN-ACK/ACK ratio becomes too bad make it *easier* for me if i'm doing a denial of service attack on a host?
On "core" (whatever that means) you only need an extra couple of hundred SYNs /sec to be passing through an attack, on many many 000s of SYNs per sec. On customer facing routers, much easier just to block packets with source addresses not on customer LANs. IE where your solution would help, one can already fix the problem w/o a s/w change. Alex Bligh Xara Networks
--> -->um... maybe i'm missing the clue here, but if the router vendors add -->something that shuts down an interface if the SYN/SYN-ACK/ACK ratio -->becomes too bad make it *easier* for me if i'm doing a denial of service -->attack on a host? --> -->instead of denying service to a given host, all i have to do is drive -->the router into alarm mode so it shuts off the interface and then i get -->to deny service to an entire segment and everything downstream from that -->segment... --> -->here's to better bang for your cracker-kiddie buck... -->--regis -->> --> That could potentially take out a pop, as each interface goes down due to an attack. -- ------------------------------------------- | Jeremy Hall Network Engineer | | ISDN-Net, Inc Office +1-615-371-1625 | | Nashville, TN and the southeast USA | | jhall@isdn.net Pager +1-615-702-0750 | -------------------------------------------
Regis Donovan writes:
um... maybe i'm missing the clue here, but if the router vendors add something that shuts down an interface if the SYN/SYN-ACK/ACK ratio becomes too bad make it *easier* for me if i'm doing a denial of service attack on a host?
One could say that, yes... Perry
i think that they're talking about shutting down the source, not the destination. if you deploy it on your own incoming interface, well, gun - foot - bang :-) Jeff Young young@mci.net
From: Regis Donovan <regisdo@microsoft.com> To: "'nanog@merit.edu'" <nanog@merit.edu> Subject: router syn/syn-ack/ack alarming... Date: Tue, 17 Sep 1996 13:23:35 -0700 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.24 Encoding: 13 TEXT Sender: owner-nanog@merit.edu Content-Type: text Content-Length: 522
um... maybe i'm missing the clue here, but if the router vendors add something that shuts down an interface if the SYN/SYN-ACK/ACK ratio becomes too bad make it *easier* for me if i'm doing a denial of service attack on a host?
instead of denying service to a given host, all i have to do is drive the router into alarm mode so it shuts off the interface and then i get to deny service to an entire segment and everything downstream from that segment...
here's to better bang for your cracker-kiddie buck... --regis
participants (5)
-
Alex.Bligh
-
Jeff Young
-
Mr. Jeremy Hall
-
Perry E. Metzger
-
Regis Donovan