[4579] in North American Network Operators' Group
Re: router syn/syn-ack/ack alarming...
daemon@ATHENA.MIT.EDU (Vadim Antonov)
Wed Sep 18 17:07:04 1996
Date: Wed, 18 Sep 1996 13:32:30 -0700
From: Vadim Antonov <avg@quake.net>
To: almes@advanced.org, amb@xara.net
Cc: nanog@merit.edu, regisdo@microsoft.com
Guy T Almes <almes@advanced.org> wrote:
>        - source address filtering and
>        - syn/synack/ack ratio detection
>are *complementary* approaches, both of which have promise.
Absolutely.
>  Due to asymmetric routes and other reasons, neither seems very promising
>within core routers.
There's also an issue of performance -- you don't want to burden
core routers with flitering.   However, on customer access circuits
it is quite feasible.
>Syn/synack/ack ratio detection is complementary, since it
>could help detect an attack near the destination host.
I actually thought about using it at incoming traffic.  I.e. not
to allow garbadge in the backbone in the first place.
On incoming traffic the disbalance may simply trigger an alarm.
>  I am also a bit skeptical about the idea of automatically shutting down
>an interface upon noticing anomolies in the ratios, but that does not
>detract from the value of ratio anomoly detection as a valuable network
>management technique.
I think there's no problem with automatic cut-offs in case of obviously
invalid traffic patterns.  Practically all traffic on customer access
circuits is symmetrical.
The automatic shut-off has the advantage of isolating the problem
(be it an attacker or a workstation going berserk) immediately, where
doing it manually after alarms were tripped may take several hours,
which is clearly unacceptable for most people who use Internet to do
business.
Performing statictical monitoring of input traffic by multihomed customers
may be a matter of service contract -- in the same place as requirements
to ensure sanity of routing information originated by the same customer.
--vadim