nanog mailing list archives
Re: router syn/syn-ack/ack alarming...
From: Vern Paxson <vern () ee lbl gov>
Date: Wed, 18 Sep 96 16:59:16 PDT
From: Michael Dillon <michael () memra com> ... Wouldn't the ratio be calculated from outgoing SYN's and incoming ACK's?
There are two ratios that could be calculated and it's not clear to me which one we're talking about here. The first ratio is the number of SYN-ack packets sent in one direction vs. the number of acks-of-SYN-ack packets coming in from the other. These should be about equal. A skew indicates a likely flooding attack. But computing this ratio requires keeping around per connection state, since the ack-of-SYN-ack packet otherwise looks like any other ack. The second ratio is the number of SYN packets sent in one direction vs. the number of SYN-acks in the other. This ratio is a much easier to measure but also a much less reliable indicator of a SYN flooding attack. In particular, SYN packets can elicit RST's or ICMP's instead of SYN-acks, and they can also elicit no response whatsoever. Furthermore, the cracker can, while flooding host A with SYN's, in addition also flood host B *and follow up immediately with a RST packet* that clears out B's state. This second stream can be maintained indefinitely, and will have the effect of bringing the count of SYN-ack's quite close to the count of SYN's, since B is always able to generate the SYN-ack. Vern - - - - - - - - - - - - - - - - -
Current thread:
- Re: router syn/syn-ack/ack alarming..., (continued)
- Re: router syn/syn-ack/ack alarming... Larry J. Plato (Sep 18)
- Re: router syn/syn-ack/ack alarming... George Herbert (Sep 18)
- Re: router syn/syn-ack/ack alarming... Mark A. Fullmer (Sep 18)
- Re: router syn/syn-ack/ack alarming... Michael Dillon (Sep 18)
- Re: router syn/syn-ack/ack alarming... Michael Dillon (Sep 18)
- Re: router syn/syn-ack/ack alarming... Curtis Villamizar (Sep 18)
- Re: router syn/syn-ack/ack alarming... George Herbert (Sep 18)