nanog mailing list archives
Re: New Denial of Service Attack on Panix
From: Curtis Villamizar <curtis () ans net>
Date: Tue, 17 Sep 1996 20:46:53 -0400
In message <Pine.LNX.3.91.960917030857.17180B-100000 () IMgate iMach com>, "Forres t W. Christian" writes:
Maybe I'm missing something here, but wouldn't these Denial of Service attacks cause a severe mismatch in the numbers of SYNs and SYN-ACKs on a given router interface? If so, then couldn't we just sweet-talk cisco into providing 5 minute counts of syns and syn-acks on an interface? You know something like: 5 minute SYNS: 123423 5 minute SYN-ACKS: 50000 Then, if the ratio got too high, it can start yelping about "Potential SYN D-O-S Atttack in progress on Interface Serial 1" In this manner "good" isp's wouldn't unknowingly carry these attacks. I envision this being done on the somewhat bigger isp's where putting inbound filters on their customer interfaces would be not a good idea (Sprint, MCI, Net 99, etc.). If the feature was enabled by default, some smaller ISPs would probably notice it--if they are watching their cisco logs at all. Personally, I know that these attacks aren't going to originate at our site, as I have the filters on. However, I am quite concerned about getting hit with one... -forrestc () imach com
That's a really good idea. Cutting the sample interval (60 seconds, configurable) and generating an SNMP trap would be a good idea too. You'd also want absolute and percent threshholds on the traps. This shouldn't be tough except at the very high end router vendors hate looking inside each packet for anything (especially if they have ASICs helping with some of the forwarding work). Just need the protocol number in the IP field and the TCP SYN and ACK bits and two counters. Curtis - - - - - - - - - - - - - - - - -
Current thread:
- Re: New Denial of Service Attack on Panix, (continued)
- Re: New Denial of Service Attack on Panix Paul A Vixie (Sep 16)
- Re: New Denial of Service Attack on Panix Perry E. Metzger (Sep 16)
- Re: New Denial of Service Attack on Panix Craig A. Huegen (Sep 16)
- Re: New Denial of Service Attack on Panix Jonathan Heiliger (Sep 17)
- Re: New Denial of Service Attack on Panix Forrest W. Christian (Sep 17)
- Re: New Denial of Service Attack on Panix Avi Freedman (Sep 17)
- Re: New Denial of Service Attack on Panix Erik E. Fair (Sep 17)
- Re: New Denial of Service Attack on Panix Curtis Villamizar (Sep 17)
- Re: New Denial of Service Attack on Panix Forrest W. Christian (Sep 17)
- Re: New Denial of Service Attack on Panix Perry E. Metzger (Sep 17)
- Re: New Denial of Service Attack on Panix Curtis Villamizar (Sep 17)
- Re: New Denial of Service Attack on Panix Perry E. Metzger (Sep 16)
- Re: New Denial of Service Attack on Panix Michael Dillon (Sep 16)
- Re: New Denial of Service Attack on Panix Rashid Karimov (Sep 17)
- Re: New Denial of Service Attack on Panix Christopher Blizzard (Sep 17)
- Re: New Denial of Service Attack on Panix Tim Bass (Sep 16)
- Re: New Denial of Service Attack on Panix Craig A. Huegen (Sep 16)
- Re: New Denial of Service Attack on Panix Perry E. Metzger (Sep 16)
- Re: New Denial of Service Attack on Panix Avi Freedman (Sep 16)