North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: router syn/syn-ack/ack alarming...

  • From: Larry J. Plato
  • Date: Wed Sep 18 19:41:41 1996

> 
> On Wed, 18 Sep 1996, Vern Paxson wrote:
> 
> > > have something in their logs like SYN/ACK RATIO 33:1 POSSIBLE HACKER
> > > ATTACK which will make them sit up and take notice.
> > 
> > I don't see how in reality to make the syn/syn-ack/ack ratio work soundly.
> > It seems too easy for the cracker to synthesize bogus syn-ack's or ack's to
> > manipulate the ratio however they please.
> 
> Wouldn't the ratio be calculated from outgoing SYN's and incoming ACK's?
> I can see that a sophisticated attacker could have a machine on another
> network sending incoming ACK's to balance the outgoing SYN's but I suspect
> this would be an extremely small percentage of attacks.
> 
Until someone implements this as a feature, then 2600 will post the code 
to a program that sends SYNs followed by ACKs a minute later.  The damage
would be done by then, but the stats would show balanced flows.

Larry Plato
- - - - - - - - - - - - - - - - -