[4463] in North American Network Operators' Group
Re: New Denial of Service Attack on Panix
daemon@ATHENA.MIT.EDU (Avi Freedman)
Tue Sep 17 06:08:48 1996
From: Avi Freedman <freedman@netaxs.com>
To: forrestc@iMach.com (Forrest W. Christian)
Date: Tue, 17 Sep 1996 06:06:48 -0400 (EDT)
Cc: nanog@merit.edu, iepg@iepg.org
In-Reply-To: <Pine.LNX.3.91.960917030857.17180B-100000@IMgate.iMach.com> from "Forrest W. Christian" at Sep 17, 96 03:28:23 am
> Maybe I'm missing something here, but wouldn't these Denial of Service
> attacks cause a severe mismatch in the numbers of SYNs and SYN-ACKs on a
> given router interface?
>
> If so, then couldn't we just sweet-talk cisco into providing 5 minute
> counts of syns and syn-acks on an interface? You know something like:
>
> 5 minute SYNS: 123423 5 minute SYN-ACKS: 50000
>
> Then, if the ratio got too high, it can start yelping about "Potential SYN
> D-O-S Atttack in progress on Interface Serial 1"
Interesting. Asymmetry might mean that it'd go undetected, except
towards the site being affected (except towards the site being attacked,
if they're singly-homed).
What you'd *really* like is a count of SYNS by source MAC address at
(i.e. at an exchange point), but what you suggest is interesting.
> In this manner "good" isp's wouldn't unknowingly carry these attacks. I
> envision this being done on the somewhat bigger isp's where putting
> inbound filters on their customer interfaces would be not a good idea
> (Sprint, MCI, Net 99, etc.). If the feature was enabled by default, some
> smaller ISPs would probably notice it--if they are watching their cisco
> logs at all.
>
> Personally, I know that these attacks aren't going to originate at our
> site, as I have the filters on. However, I am quite concerned about
> getting hit with one...
>
> -forrestc@imach.com
Avi
