North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: router syn/syn-ack/ack alarming...
> have something in their logs like SYN/ACK RATIO 33:1 POSSIBLE HACKER > ATTACK which will make them sit up and take notice. I don't see how in reality to make the syn/syn-ack/ack ratio work soundly. It seems too easy for the cracker to synthesize bogus syn-ack's or ack's to manipulate the ratio however they please. The bookkeeping to tell a true syn-ack or ack-syn-ack from a bogus one entails keeping around connection state, and suddenly the cheap ratio gets expensive. Vern - - - - - - - - - - - - - - - - -
|