North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: New Denial of Service Attack on Panix
is there that much asymmetry in the very leaves of the network? i live in the asymmetry at the middle of the network but of the folks who are multihomed customers of NSP's, is it that case that asymmetry prevails in single streams of communication? don't most multihomed customers of NSP's engineer a preferred transit? if i'm multihomed to two providers i've already done something to balance my traffic and to make sure that i have fail-over. i accept x routes on connection 1 and y routes on connection 2. outgoing, i might pad my AS on connection 2 and point default on connection 1. i might point a higher metric default out connection 2, or perhaps i'm defaultless and tag routes as i hear them based on my own policy. there are a million ways to do it, but because of the way it's been done usually i wonder if there are that many cases of asymmetry at the edge. i guess the one common thread of this discussion is that whatever must be done, must be done on the edges of the internet. and that's not a cop out, we have as many edge cases as we have connections to isp's. Jeff Young [email protected] > Return-Path: [email protected] > Received: from merit.edu (merit.edu [35.1.1.42]) by postoffice.Reston.mci.net (8.7.5/8.7.3) with ESMTP id IAA23210; Wed, 18 Sep 1996 08:09:00 -0400 (EDT) > Received: from localhost ([email protected]) by merit.edu (8.7.5/merit-2.0) with SMTP id HAA10629; Wed, 18 Sep 1996 07:58:10 -0400 (EDT) > Received: by merit.edu (bulk_mailer v1.5); Wed, 18 Sep 1996 07:52:40 -0400 > Received: (from [email protected]) by merit.edu (8.7.5/merit-2.0) id HAA10473 for nanog-outgoing; Wed, 18 Sep 1996 07:52:39 -0400 (EDT) > Received: from diablo.cisco.com (diablo.cisco.com [171.68.223.106]) by merit.edu (8.7.5/merit-2.0) with SMTP id HAA10458 for <[email protected]>; Wed, 18 Sep 1996 07:52:35 -0400 (EDT) > Received: from pferguso-pc.cisco.com (c1robo7.cisco.com [171.68.13.7]) by diablo.cisco.com (8.6.12/CISCO.SERVER.1.1) with SMTP id EAA00468; Wed, 18 Sep 1996 04:51:57 -0700 > Message-Id: <[email protected]> > X-Sender: [email protected] (Unverified) > X-Mailer: Windows Eudora Pro Version 2.2 (32) > Mime-Version: 1.0 > Date: Wed, 18 Sep 1996 07:51:56 -0400 > To: Vadim Antonov <[email protected]> > From: Paul Ferguson <[email protected]> > Subject: Re: New Denial of Service Attack on Panix > Cc: [email protected], [email protected] > Sender: [email protected] > Content-Type: text/plain; charset="us-ascii" > Content-Length: 883 > > I'm wondering if this is not quite the panacea that it appears. More > thought is certainly required here... asymmetry being a problem that > leaps to mind. > > - paul > > At 01:02 PM 9/17/96 -0700, Vadim Antonov wrote: > > >This is the excellent idea! Actually, router vendors may simply > >add a feature which shuts down the interface if SYN/SYN-ACK balance > >is too bad -- thus disconnecting the hacker-to-be. > > > >Of course, that balance may be decaying with time, so repeated > >unsuccessful attempts to connect won't trigger alarms. > > > >--vadim > > > >Forrest W. Christian <[email protected]> wrote: > > > >Maybe I'm missing something here, but wouldn't these Denial of Service > >attacks cause a severe mismatch in the numbers of SYNs and SYN-ACKs on a > >given router interface? > > > >If so, then couldn't we just sweet-talk cisco into providing 5 minute > >counts of syns and syn-acks on an interface? > > > > > - - - - - - - - - - - - - - - - -
|