North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: router syn/syn-ack/ack alarming...

  • From: Vadim Antonov
  • Date: Tue Sep 17 21:02:59 1996

Regis Donovan <[email protected]> wrote:

>um... maybe i'm missing the clue here, but if the router vendors add
>something that shuts down an interface if the SYN/SYN-ACK/ACK ratio
>becomes too bad make it *easier* for me if i'm doing a denial of service
>attack on a host?

No, you took the "anti-SYN" shut-off in opposite direction.

ISPs could install the asymmetry shut-off (why stop at SYNs / SYN-ACK pairs?)
enforcing rough balance of SYNs coming from customer and SYN-ACKs coming
back to customer.  If the traffic is legitimate, the balance will hold.
Any attempt to flood by that customer (intentional, or unintentional, by
a broken software) will cause massive disbalance.

The equivalent filter on victim's side won't see those SYNs and SYN-ACKs,
simply because thet are going in opposite direction.

>instead of denying service to a given host, all i have to do is drive
>the router into alarm mode so it shuts off the interface and then i get
>to deny service to an entire segment and everything downstream from that
>segment...

Yes, the defense may be multi-staged.  I.e. if a local ISP does
not enable anti-flooding defenses on its own customer links, it'll risk
backbone ISP shutting its entire operation.

BTW, telcos use the statistical traffic analysis (bit-density monitors
is the most trivial example) to isolate troubles for years.

--vadim
- - - - - - - - - - - - - - - - -