nanog mailing list archives
Re: router syn/syn-ack/ack alarming...
From: Vadim Antonov <avg () quake net>
Date: Wed, 18 Sep 1996 13:32:30 -0700
Guy T Almes <almes () advanced org> wrote:
- source address filtering and - syn/synack/ack ratio detection are *complementary* approaches, both of which have promise.
Absolutely.
Due to asymmetric routes and other reasons, neither seems very promising within core routers.
There's also an issue of performance -- you don't want to burden core routers with flitering. However, on customer access circuits it is quite feasible.
Syn/synack/ack ratio detection is complementary, since it could help detect an attack near the destination host.
I actually thought about using it at incoming traffic. I.e. not to allow garbadge in the backbone in the first place. On incoming traffic the disbalance may simply trigger an alarm.
I am also a bit skeptical about the idea of automatically shutting down an interface upon noticing anomolies in the ratios, but that does not detract from the value of ratio anomoly detection as a valuable network management technique.
I think there's no problem with automatic cut-offs in case of obviously invalid traffic patterns. Practically all traffic on customer access circuits is symmetrical. The automatic shut-off has the advantage of isolating the problem (be it an attacker or a workstation going berserk) immediately, where doing it manually after alarms were tripped may take several hours, which is clearly unacceptable for most people who use Internet to do business. Performing statictical monitoring of input traffic by multihomed customers may be a matter of service contract -- in the same place as requirements to ensure sanity of routing information originated by the same customer. --vadim - - - - - - - - - - - - - - - - -
Current thread:
- Re: router syn/syn-ack/ack alarming..., (continued)
- Re: router syn/syn-ack/ack alarming... Guy T Almes (Sep 18)
- Re: router syn/syn-ack/ack alarming... Michael Dillon (Sep 18)
- Re: router syn/syn-ack/ack alarming... Guy T Almes (Sep 18)
- Re: router syn/syn-ack/ack alarming... Justin W. Newton (Sep 18)
- Re: router syn/syn-ack/ack alarming... Vern Paxson (Sep 18)
- Re: router syn/syn-ack/ack alarming... Michael Dillon (Sep 18)
- Re: router syn/syn-ack/ack alarming... Larry J. Plato (Sep 18)
- Re: router syn/syn-ack/ack alarming... George Herbert (Sep 18)
- Re: router syn/syn-ack/ack alarming... Mark A. Fullmer (Sep 18)
- Re: router syn/syn-ack/ack alarming... Michael Dillon (Sep 18)
- Re: router syn/syn-ack/ack alarming... Michael Dillon (Sep 18)
- Re: router syn/syn-ack/ack alarming... Guy T Almes (Sep 18)
- Re: router syn/syn-ack/ack alarming... Michael Dillon (Sep 18)
- Re: router syn/syn-ack/ack alarming... Curtis Villamizar (Sep 18)
- Re: router syn/syn-ack/ack alarming... George Herbert (Sep 18)