nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: router syn/syn-ack/ack alarming...

From: "Larry J. Plato" <ljp () ans net>
Date: Wed, 18 Sep 1996 23:32:56 +0000 (GMT)

On Wed, 18 Sep 1996, Vern Paxson wrote:


have something in their logs like SYN/ACK RATIO 33:1 POSSIBLE HACKER
ATTACK which will make them sit up and take notice.


I don't see how in reality to make the syn/syn-ack/ack ratio work soundly.
It seems too easy for the cracker to synthesize bogus syn-ack's or ack's to
manipulate the ratio however they please.


Wouldn't the ratio be calculated from outgoing SYN's and incoming ACK's?
I can see that a sophisticated attacker could have a machine on another
network sending incoming ACK's to balance the outgoing SYN's but I suspect
this would be an extremely small percentage of attacks.


Until someone implements this as a feature, then 2600 will post the code 
to a program that sends SYNs followed by ACKs a minute later.  The damage
would be done by then, but the stats would show balanced flows.

Larry Plato
- - - - - - - - - - - - - - - - -
Previous By Date Next
Previous By Thread Next

Current thread: