[4525] in North American Network Operators' Group
Re: router syn/syn-ack/ack alarming...
daemon@ATHENA.MIT.EDU (Vadim Antonov)
Tue Sep 17 21:03:47 1996
Date: Tue, 17 Sep 1996 17:58:25 -0700
From: Vadim Antonov <avg@quake.net>
To: nanog@merit.edu, regisdo@microsoft.com
Regis Donovan <regisdo@microsoft.com> wrote:
>um... maybe i'm missing the clue here, but if the router vendors add
>something that shuts down an interface if the SYN/SYN-ACK/ACK ratio
>becomes too bad make it *easier* for me if i'm doing a denial of service
>attack on a host?
No, you took the "anti-SYN" shut-off in opposite direction.
ISPs could install the asymmetry shut-off (why stop at SYNs / SYN-ACK pairs?)
enforcing rough balance of SYNs coming from customer and SYN-ACKs coming
back to customer. If the traffic is legitimate, the balance will hold.
Any attempt to flood by that customer (intentional, or unintentional, by
a broken software) will cause massive disbalance.
The equivalent filter on victim's side won't see those SYNs and SYN-ACKs,
simply because thet are going in opposite direction.
>instead of denying service to a given host, all i have to do is drive
>the router into alarm mode so it shuts off the interface and then i get
>to deny service to an entire segment and everything downstream from that
>segment...
Yes, the defense may be multi-staged. I.e. if a local ISP does
not enable anti-flooding defenses on its own customer links, it'll risk
backbone ISP shutting its entire operation.
BTW, telcos use the statistical traffic analysis (bit-density monitors
is the most trivial example) to isolate troubles for years.
--vadim
