[4575] in North American Network Operators' Group
Re: router syn/syn-ack/ack alarming...
daemon@ATHENA.MIT.EDU (Vern Paxson)
Wed Sep 18 14:24:14 1996
To: Michael Dillon <michael@memra.com>
Cc: nanog@merit.edu
In-reply-to: Your message of Wed, 18 Sep 96 09:50:08 PDT.
Date: Wed, 18 Sep 96 11:12:05 PDT
From: Vern Paxson <vern@ee.lbl.gov>
> have something in their logs like SYN/ACK RATIO 33:1 POSSIBLE HACKER
> ATTACK which will make them sit up and take notice.
I don't see how in reality to make the syn/syn-ack/ack ratio work soundly.
It seems too easy for the cracker to synthesize bogus syn-ack's or ack's to
manipulate the ratio however they please. The bookkeeping to tell a true
syn-ack or ack-syn-ack from a bogus one entails keeping around connection
state, and suddenly the cheap ratio gets expensive.
Vern
