[4570] in North American Network Operators' Group
Re: router syn/syn-ack/ack alarming...
daemon@ATHENA.MIT.EDU (Justin W. Newton)
Wed Sep 18 13:24:25 1996
Date: Wed, 18 Sep 1996 13:34:26 -0400
To: Michael Dillon <michael@memra.com>, "'nanog@merit.edu'" <nanog@merit.edu>
From: "Justin W. Newton" <justin@erols.com>
At 09:50 AM 9/18/96 -0700, Michael Dillon wrote:
>On Wed, 18 Sep 1996, Guy T Almes wrote:
>> the source host. Syn/synack/ack ratio detection is complementary, since it
>> could help detect an attack near the destination host.
>It could also help detect an attack near the source host which would help
>*GREATLY* in tracing the perpetrator of the attacks. This ratio detection
>doesn't need to shutdown anything, just syslog the fact so that admins
>have something in their logs like SYN/ACK RATIO 33:1 POSSIBLE HACKER
>ATTACK which will make them sit up and take notice.
Ubfortunately the number of people who actually monitor their routers that
closely is probably limited to the members of this list. We're much more
likely to get people to filter their networks than to actively monitor
anything. I am speaking from the background at having worked at a small
ISP where if I wasn't there noone monitored anything basically until it
started smoking.
Justin Newton
Internet Architect
Erol's Internet Services