North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: router syn/syn-ack/ack alarming...
Regis Donovan <[email protected]> wrote: >um... maybe i'm missing the clue here, but if the router vendors add >something that shuts down an interface if the SYN/SYN-ACK/ACK ratio >becomes too bad make it *easier* for me if i'm doing a denial of service >attack on a host? No, you took the "anti-SYN" shut-off in opposite direction. ISPs could install the asymmetry shut-off (why stop at SYNs / SYN-ACK pairs?) enforcing rough balance of SYNs coming from customer and SYN-ACKs coming back to customer. If the traffic is legitimate, the balance will hold. Any attempt to flood by that customer (intentional, or unintentional, by a broken software) will cause massive disbalance. The equivalent filter on victim's side won't see those SYNs and SYN-ACKs, simply because thet are going in opposite direction. >instead of denying service to a given host, all i have to do is drive >the router into alarm mode so it shuts off the interface and then i get >to deny service to an entire segment and everything downstream from that >segment... Yes, the defense may be multi-staged. I.e. if a local ISP does not enable anti-flooding defenses on its own customer links, it'll risk backbone ISP shutting its entire operation. BTW, telcos use the statistical traffic analysis (bit-density monitors is the most trivial example) to isolate troubles for years. --vadim - - - - - - - - - - - - - - - - -
|