nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: router syn/syn-ack/ack alarming...

From: Vern Paxson <vern () ee lbl gov>
Date: Wed, 18 Sep 96 11:12:05 PDT
have something in their logs like SYN/ACK RATIO 33:1 POSSIBLE HACKER
ATTACK which will make them sit up and take notice.


I don't see how in reality to make the syn/syn-ack/ack ratio work soundly.
It seems too easy for the cracker to synthesize bogus syn-ack's or ack's to
manipulate the ratio however they please.  The bookkeeping to tell a true
syn-ack or ack-syn-ack from a bogus one entails keeping around connection
state, and suddenly the cheap ratio gets expensive.

                Vern
- - - - - - - - - - - - - - - - -
Previous By Date Next
Previous By Thread Next

Current thread: