[4571] in North American Network Operators' Group
Re: router syn/syn-ack/ack alarming...
daemon@ATHENA.MIT.EDU (Michael Dillon)
Wed Sep 18 13:28:13 1996
Date: Wed, 18 Sep 1996 09:50:08 -0700 (PDT)
From: Michael Dillon <michael@memra.com>
To: "'nanog@merit.edu'" <nanog@MERIT.EDU>
In-Reply-To: <2.2.32.19960918130933.0094efd4@mail.advanced.org>
On Wed, 18 Sep 1996, Guy T Almes wrote:
> the source host. Syn/synack/ack ratio detection is complementary, since it
> could help detect an attack near the destination host.
It could also help detect an attack near the source host which would help
*GREATLY* in tracing the perpetrator of the attacks. This ratio detection
doesn't need to shutdown anything, just syslog the fact so that admins
have something in their logs like SYN/ACK RATIO 33:1 POSSIBLE HACKER
ATTACK which will make them sit up and take notice.
Michael Dillon - ISP & Internet Consulting
Memra Software Inc. - Fax: +1-604-546-3049
http://www.memra.com - E-mail: michael@memra.com
