Re: router syn/syn-ack/ack alarming...

[Vern Paxson <vern () ee lbl gov>]

> From: Michael Dillon <michael () memra com>
> ...
> Wouldn't the ratio be calculated from outgoing SYN's and incoming ACK's?

There are two ratios that could be calculated and it's not clear to me
which one we're talking about here.

The first ratio is the number of SYN-ack packets sent in one direction vs.
the number of acks-of-SYN-ack packets coming in from the other.  These
should be about equal.  A skew indicates a likely flooding attack.  But
computing this ratio requires keeping around per connection state, since
the ack-of-SYN-ack packet otherwise looks like any other ack.

The second ratio is the number of SYN packets sent in one direction vs.
the number of SYN-acks in the other.  This ratio is a much easier to
measure but also a much less reliable indicator of a SYN flooding attack.
In particular, SYN packets can elicit RST's or ICMP's instead of SYN-acks,
and they can also elicit no response whatsoever.

Furthermore, the cracker can, while flooding host A with SYN's, in
addition also flood host B *and follow up immediately with a RST packet*
that clears out B's state.  This second stream can be maintained
indefinitely, and will have the effect of bringing the count of SYN-ack's
quite close to the count of SYN's, since B is always able to generate
the SYN-ack.

                Vern
- - - - - - - - - - - - - - - - -