[4462] in North American Network Operators' Group
Re: New Denial of Service Attack on Panix
daemon@ATHENA.MIT.EDU (Forrest W. Christian)
Tue Sep 17 05:35:15 1996
Date: Tue, 17 Sep 1996 03:28:23 -0600 (MDT)
From: "Forrest W. Christian" <forrestc@iMach.com>
To: nanog@merit.edu
cc: iepg@iepg.org
In-Reply-To: <Pine.BSI.3.94.960916233240.27152D-100000@isi.net>
Maybe I'm missing something here, but wouldn't these Denial of Service
attacks cause a severe mismatch in the numbers of SYNs and SYN-ACKs on a
given router interface?
If so, then couldn't we just sweet-talk cisco into providing 5 minute
counts of syns and syn-acks on an interface? You know something like:
5 minute SYNS: 123423 5 minute SYN-ACKS: 50000
Then, if the ratio got too high, it can start yelping about "Potential SYN
D-O-S Atttack in progress on Interface Serial 1"
In this manner "good" isp's wouldn't unknowingly carry these attacks. I
envision this being done on the somewhat bigger isp's where putting
inbound filters on their customer interfaces would be not a good idea
(Sprint, MCI, Net 99, etc.). If the feature was enabled by default, some
smaller ISPs would probably notice it--if they are watching their cisco
logs at all.
Personally, I know that these attacks aren't going to originate at our
site, as I have the filters on. However, I am quite concerned about
getting hit with one...
-forrestc@imach.com
