[4504] in North American Network Operators' Group
Re: router syn/syn-ack/ack alarming...
daemon@ATHENA.MIT.EDU (Alex.Bligh)
Tue Sep 17 16:58:17 1996
To: Regis Donovan <regisdo@microsoft.com>
cc: "'nanog@merit.edu'" <nanog@merit.edu>
In-reply-to: Your message of "Tue, 17 Sep 1996 13:23:35 PDT."
Date: Tue, 17 Sep 1996 21:48:32 +0100
From: "Alex.Bligh" <amb@xara.net>
> um... maybe i'm missing the clue here, but if the router vendors add
> something that shuts down an interface if the SYN/SYN-ACK/ACK ratio
> becomes too bad make it *easier* for me if i'm doing a denial of service
> attack on a host?
On "core" (whatever that means) you only need an extra couple of hundred
SYNs /sec to be passing through an attack, on many many 000s of SYNs
per sec. On customer facing routers, much easier just to block packets
with source addresses not on customer LANs. IE where your solution would
help, one can already fix the problem w/o a s/w change.
Alex Bligh
Xara Networks