[4501] in North American Network Operators' Group
Re: New Denial of Service Attack on Panix:
daemon@ATHENA.MIT.EDU (Avi Freedman)
Tue Sep 17 16:39:48 1996
From: Avi Freedman <freedman@netaxs.com>
To: avg@quake.net (Vadim Antonov)
Date: Tue, 17 Sep 1996 16:31:11 -0400 (EDT)
Cc: forrestc@iMach.com, nanog@merit.edu, iepg@iepg.org
In-Reply-To: <199609172002.NAA01245@quest.quake.net> from "Vadim Antonov" at Sep 17, 96 01:02:04 pm
> This is the excellent idea! Actually, router vendors may simply
> add a feature which shuts down the interface if SYN/SYN-ACK balance
> is too bad -- thus disconnecting the hacker-to-be.
>
> Of course, that balance may be decaying with time, so repeated
> unsuccessful attempts to connect won't trigger alarms.
>
> --vadim
Ah, that's fun if it's a XP interface we're talking about :)
Presumably you wouldn't enable that option on one, though...
Avi
> Forrest W. Christian <forrestc@iMach.com> wrote:
>
> Maybe I'm missing something here, but wouldn't these Denial of Service
> attacks cause a severe mismatch in the numbers of SYNs and SYN-ACKs on a
> given router interface?
>
> If so, then couldn't we just sweet-talk cisco into providing 5 minute
> counts of syns and syn-acks on an interface?
>
