nanog mailing list archives

Re: router syn/syn-ack/ack alarming...

From: Guy T Almes <almes () advanced org>
Date: Wed, 18 Sep 1996 09:35:47 -0400

Vadim,
  The case for ratio-based techniques is stronger as a means for a NOC
to detect a strange situation and investigate it than as a means to
automatically shut down an interface.

  Note that, given your 'opposite direction' idea, I could shut down
service on campus 'A' by [1] logging into any host on campus 'A',
[2] launching an attack that might not be harmful in itself but which
would trigger the auto shutdown you advocate, and then [3] sitting
back and watch all of campus 'A' get shut down with the presumptive
blame focused on them.
  It's still a denial of service attack.  The problem is not with
detecting the ratio imbalance, but with simple deterministic response
to it.  That determinism could be used by an attacker.

  In sum, I like the idea of detecting the problem and rapidly tracing
it, but I'm skeptical about a totally automated response to it given
our current low level of experience with it.

        -- Guy

At 05:58 PM 9/17/96 -0700, you wrote:

Regis Donovan <regisdo () microsoft com> wrote:

um... maybe i'm missing the clue here, but if the router vendors add
something that shuts down an interface if the SYN/SYN-ACK/ACK ratio
becomes too bad make it *easier* for me if i'm doing a denial of service
attack on a host?


No, you took the "anti-SYN" shut-off in opposite direction.

ISPs could install the asymmetry shut-off (why stop at SYNs / SYN-ACK pairs?)
enforcing rough balance of SYNs coming from customer and SYN-ACKs coming
back to customer.  If the traffic is legitimate, the balance will hold.
Any attempt to flood by that customer (intentional, or unintentional, by
a broken software) will cause massive disbalance.

The equivalent filter on victim's side won't see those SYNs and SYN-ACKs,
simply because thet are going in opposite direction.

instead of denying service to a given host, all i have to do is drive
the router into alarm mode so it shuts off the interface and then i get
to deny service to an entire segment and everything downstream from that
segment...


Yes, the defense may be multi-staged.  I.e. if a local ISP does
not enable anti-flooding defenses on its own customer links, it'll risk
backbone ISP shutting its entire operation.

BTW, telcos use the statistical traffic analysis (bit-density monitors
is the most trivial example) to isolate troubles for years.

--vadim


- - - - - - - - - - - - - - - - -

Current thread:

router syn/syn-ack/ack alarming... Regis Donovan (Sep 17)
- Re: router syn/syn-ack/ack alarming... Alex.Bligh (Sep 17)
- Re: router syn/syn-ack/ack alarming... Mr. Jeremy Hall (Sep 17)
- Re: router syn/syn-ack/ack alarming... Perry E. Metzger (Sep 17)
- Re: router syn/syn-ack/ack alarming... Jeff Young (Sep 17)
- <Possible follow-ups>
- Re: router syn/syn-ack/ack alarming... Vadim Antonov (Sep 17)
- Re: router syn/syn-ack/ack alarming... Paul Ferguson (Sep 18)
- Re: router syn/syn-ack/ack alarming... Guy T Almes (Sep 18)
  - Re: router syn/syn-ack/ack alarming... Michael Dillon (Sep 18)
- Re: router syn/syn-ack/ack alarming... Guy T Almes (Sep 18)
- Re: router syn/syn-ack/ack alarming... Justin W. Newton (Sep 18)
- Re: router syn/syn-ack/ack alarming... Vern Paxson (Sep 18)
  - Re: router syn/syn-ack/ack alarming... Michael Dillon (Sep 18)
    - Re: router syn/syn-ack/ack alarming... Larry J. Plato (Sep 18)
    - Re: router syn/syn-ack/ack alarming... George Herbert (Sep 18)
    - Re: router syn/syn-ack/ack alarming... Mark A. Fullmer (Sep 18)
    - Re: router syn/syn-ack/ack alarming... Michael Dillon (Sep 18)
- Re: router syn/syn-ack/ack alarming... Vadim Antonov (Sep 18)
- Re: router syn/syn-ack/ack alarming... Vadim Antonov (Sep 18)
  - Re: router syn/syn-ack/ack alarming... Michael Dillon (Sep 18)

(Thread continues...)