nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: router syn/syn-ack/ack alarming...

From: Michael Dillon <michael () memra com>
Date: Wed, 18 Sep 1996 16:12:47 -0700 (PDT)
On Wed, 18 Sep 1996, Vadim Antonov wrote:


This ratio detection
doesn't need to shutdown anything, just syslog the fact so that admins
have something in their logs like SYN/ACK RATIO 33:1 POSSIBLE HACKER
ATTACK which will make them sit up and take notice.



Ah, you're an optimist.


*smile*


Most sysadmins would simply ignore whatever warnings they get as
long as their internal users aren't complaining.

And half of them wouldn't know what SYN/ACK ratio is.


That's why the word "HACKER" has to be in the message. Over time we can
get the word out that if you are having wierd problems you should make
sure your router is pointed to a syslog host and then try

grep HACKER /var/log/*

Besides, some admins do browse through logs from time to time. I can't
count how many times the Linuxisp mailing list has seen the question:
  
   I was looking through my logs and I see these messages
   about named and recvfrom failed...

This is a rather innocuous problem caused by running an old beta version
of BIND and doesn't generally cause any other symptoms. Maybe more people
read logs than you think....

Michael Dillon                   -               ISP & Internet Consulting
Memra Software Inc.              -                  Fax: +1-604-546-3049
http://www.memra.com             -               E-mail: michael () memra com

- - - - - - - - - - - - - - - - -
Previous By Date Next
Previous By Thread Next

Current thread: