Re: router syn/syn-ack/ack alarming...

[Guy T Almes <almes () advanced org>]

Alex,
  I agree with much of your analysis, but would argue that the two 
techniques of:
        - source address filtering and
        - syn/synack/ack ratio detection
are *complementary* approaches, both of which have promise.
  Due to asymmetric routes and other reasons, neither seems very promising
within core routers.  Source address filtering, however, should become
standard practice near the edge of the net and help control attacks near
the source host.  Syn/synack/ack ratio detection is complementary, since it
could help detect an attack near the destination host.
  I am also a bit skeptical about the idea of automatically shutting down
an interface upon noticing anomolies in the ratios, but that does not
detract from the value of ratio anomoly detection as a valuable network
management technique.
        -- Guy

At 09:48 PM 9/17/96 +0100, Alex.Bligh wrote:
> > um... maybe i'm missing the clue here, but if the router vendors add
> > something that shuts down an interface if the SYN/SYN-ACK/ACK ratio
> > becomes too bad make it *easier* for me if i'm doing a denial of service
> > attack on a host?  
>
> On "core" (whatever that means) you only need an extra couple of hundred
> SYNs /sec to be passing through an attack, on many many 000s of SYNs
> per sec. On customer facing routers, much easier just to block packets
> with source addresses not on customer LANs. IE where your solution would
> help, one can already fix the problem w/o a s/w change.
>
> Alex Bligh
> Xara Networks

- - - - - - - - - - - - - - - - -