Re: New Denial of Service Attack on Panix

[Curtis Villamizar <curtis () ans net>]

In message <Pine.LNX.3.91.960917030857.17180B-100000 () IMgate iMach com>, "Forres
t W. Christian" writes:
> Maybe I'm missing something here, but wouldn't these Denial of Service 
> attacks cause a severe mismatch in the numbers of SYNs and SYN-ACKs on a 
> given router interface?
>
> If so, then couldn't we just sweet-talk cisco into providing 5 minute 
> counts of syns and syn-acks on an interface?  You know something like:
>
>   5 minute SYNS: 123423   5 minute SYN-ACKS: 50000
>
> Then, if the ratio got too high, it can start yelping about "Potential SYN 
> D-O-S Atttack in progress on Interface Serial 1"
>
> In this manner "good" isp's wouldn't unknowingly carry these attacks.  I 
> envision this being done on the somewhat bigger isp's where putting 
> inbound filters on their customer interfaces would be not a good idea 
> (Sprint, MCI, Net 99, etc.).  If the feature was enabled by default, some 
> smaller ISPs would probably notice it--if they are watching their cisco 
> logs at all.
>
> Personally, I know that these attacks aren't going to originate at our 
> site, as I have the filters on.   However, I am quite concerned about 
> getting hit with one...
>
> -forrestc () imach com


That's a really good idea.  Cutting the sample interval (60 seconds,
configurable) and generating an SNMP trap would be a good idea too.
You'd also want absolute and percent threshholds on the traps.  This
shouldn't be tough except at the very high end router vendors hate
looking inside each packet for anything (especially if they have ASICs
helping with some of the forwarding work).  Just need the protocol
number in the IP field and the TCP SYN and ACK bits and two counters.

Curtis
- - - - - - - - - - - - - - - - -