North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: router syn/syn-ack/ack alarming...
> > On Wed, 18 Sep 1996, Vern Paxson wrote: > > > > have something in their logs like SYN/ACK RATIO 33:1 POSSIBLE HACKER > > > ATTACK which will make them sit up and take notice. > > > > I don't see how in reality to make the syn/syn-ack/ack ratio work soundly. > > It seems too easy for the cracker to synthesize bogus syn-ack's or ack's to > > manipulate the ratio however they please. > > Wouldn't the ratio be calculated from outgoing SYN's and incoming ACK's? > I can see that a sophisticated attacker could have a machine on another > network sending incoming ACK's to balance the outgoing SYN's but I suspect > this would be an extremely small percentage of attacks. > Until someone implements this as a feature, then 2600 will post the code to a program that sends SYNs followed by ACKs a minute later. The damage would be done by then, but the stats would show balanced flows. Larry Plato - - - - - - - - - - - - - - - - -
|