[4551] in North American Network Operators' Group
Re: New Denial of Service Attack on Panix
daemon@ATHENA.MIT.EDU (Paul Ferguson)
Wed Sep 18 08:07:14 1996
Date: Wed, 18 Sep 1996 07:51:56 -0400
To: Vadim Antonov <avg@quake.net>
From: Paul Ferguson <pferguso@cisco.com>
Cc: nanog@merit.edu, iepg@iepg.org
I'm wondering if this is not quite the panacea that it appears. More
thought is certainly required here... asymmetry being a problem that
leaps to mind.
- paul
At 01:02 PM 9/17/96 -0700, Vadim Antonov wrote:
>This is the excellent idea! Actually, router vendors may simply
>add a feature which shuts down the interface if SYN/SYN-ACK balance
>is too bad -- thus disconnecting the hacker-to-be.
>
>Of course, that balance may be decaying with time, so repeated
>unsuccessful attempts to connect won't trigger alarms.
>
>--vadim
>
>Forrest W. Christian <forrestc@iMach.com> wrote:
>
>Maybe I'm missing something here, but wouldn't these Denial of Service
>attacks cause a severe mismatch in the numbers of SYNs and SYN-ACKs on a
>given router interface?
>
>If so, then couldn't we just sweet-talk cisco into providing 5 minute
>counts of syns and syn-acks on an interface?
>
>
