Re: New Denial of Service Attack on Panix

[Avi Freedman <freedman () netaxs com>]

> Maybe I'm missing something here, but wouldn't these Denial of Service 
> attacks cause a severe mismatch in the numbers of SYNs and SYN-ACKs on a 
> given router interface?
>
> If so, then couldn't we just sweet-talk cisco into providing 5 minute 
> counts of syns and syn-acks on an interface?  You know something like:
>
>   5 minute SYNS: 123423   5 minute SYN-ACKS: 50000
>
> Then, if the ratio got too high, it can start yelping about "Potential SYN 
> D-O-S Atttack in progress on Interface Serial 1"

Interesting.  Asymmetry might mean that it'd go undetected, except 
towards the site being affected (except towards the site being attacked,
if they're singly-homed).

What you'd *really* like is a count of SYNS by source MAC address at
(i.e. at an exchange point), but what you suggest is interesting.

> In this manner "good" isp's wouldn't unknowingly carry these attacks.  I 
> envision this being done on the somewhat bigger isp's where putting 
> inbound filters on their customer interfaces would be not a good idea 
> (Sprint, MCI, Net 99, etc.).  If the feature was enabled by default, some 
> smaller ISPs would probably notice it--if they are watching their cisco 
> logs at all.
>
> Personally, I know that these attacks aren't going to originate at our 
> site, as I have the filters on.   However, I am quite concerned about 
> getting hit with one...
>
> -forrestc () imach com

Avi
- - - - - - - - - - - - - - - - -