North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: New Denial of Service Attack on Panix
> Maybe I'm missing something here, but wouldn't these Denial of Service > attacks cause a severe mismatch in the numbers of SYNs and SYN-ACKs on a > given router interface? > > If so, then couldn't we just sweet-talk cisco into providing 5 minute > counts of syns and syn-acks on an interface? You know something like: > > 5 minute SYNS: 123423 5 minute SYN-ACKS: 50000 > > Then, if the ratio got too high, it can start yelping about "Potential SYN > D-O-S Atttack in progress on Interface Serial 1" Interesting. Asymmetry might mean that it'd go undetected, except towards the site being affected (except towards the site being attacked, if they're singly-homed). What you'd *really* like is a count of SYNS by source MAC address at (i.e. at an exchange point), but what you suggest is interesting. > In this manner "good" isp's wouldn't unknowingly carry these attacks. I > envision this being done on the somewhat bigger isp's where putting > inbound filters on their customer interfaces would be not a good idea > (Sprint, MCI, Net 99, etc.). If the feature was enabled by default, some > smaller ISPs would probably notice it--if they are watching their cisco > logs at all. > > Personally, I know that these attacks aren't going to originate at our > site, as I have the filters on. However, I am quite concerned about > getting hit with one... > > [email protected] Avi - - - - - - - - - - - - - - - - -
|